How to fix CVE-2025-54068?

Within 24 hours: Inventory all Laravel deployments and identify those running Livewire v3 up to v3.6.3; immediately implement WAF rules blocking suspicious component hydration requests and isolate affected systems if patching cannot be completed immediately. Within 7 days: Upgrade all affected Livewire installations to v3.6.4 or later, and conduct a thorough audit of application and system logs for exploitation attempts or unauthorized access. Within 30 days: Perform full forensic review of affected systems, reset credentials, audit IAM permissions, and implement enhanced monitoring for component hydration anomalies.

Is Laravel affected by CVE-2025-54068?

Laravel applications using Livewire v3 up to v3.6.3 are exposed to unauthenticated remote code execution, allowing attackers to gain complete control of affected servers without valid credentials.

CVE-2025-54068

CRITICAL

2025-07-17 [email protected]

GHSA-29cq-5w36-x7w3

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Added to CISA KEV

Mar 20, 2026 - 18:36 cisa

CISA KEV

Analysis Generated

Mar 20, 2026 - 16:07 vuln.today

Patch Released

Mar 20, 2026 - 16:07 nvd

Patch available

CVE Published

Jul 17, 2025 - 19:15 nvd

CRITICAL 9.8

Description

Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.

Analysis

Laravel Livewire v3 through v3.6.3 contains a critical remote code execution vulnerability (CVE-2025-54068, CVSS 9.8) that allows unauthenticated attackers to execute commands through improper hydration of component property updates. KEV-listed with EPSS 16%, this vulnerability affects one of the most popular PHP frameworks, potentially compromising thousands of Laravel applications using Livewire for reactive server-side rendering.

Technical Context

Livewire is a full-stack framework for Laravel that enables reactive server-side rendering. Component state is serialized, sent to the client, and deserialized (hydrated) on subsequent requests. The vulnerability exists in how certain property updates are hydrated — attacker-controlled data can influence the hydration process to execute arbitrary PHP code. This affects Livewire v3 specifically (introduced in the v3 rewrite) and is exploitable without authentication on any page using vulnerable component patterns.

Affected Products

['Livewire v3 through v3.6.3', 'Any Laravel application using Livewire v3']

Remediation

Upgrade Livewire to v3.6.4 or later immediately. If unable to upgrade, review component property definitions for potentially vulnerable patterns. Rotate all secrets in .env after patching. Audit application logs for suspicious Livewire requests.

Priority Score

115

Low Medium High Critical

KEV: +50

EPSS: +16.0

CVSS: +49

POC: 0

CVE-2025-54068 vulnerability details – vuln.today

Back

CVE-2025-54068

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-54068

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code