Livewire v3 (≤ 3.6.3) is vulnerable to unauthenticated remote command execution in specific scenarios.
Vulnerability Details:
- Component: Livewire
- Affected Versions: ≥ 3.0.0-beta.1, < 3.6.4
- Patched Version: 3.6.4
- Issue: Component property update hydration allows RCE.
- CVE: CVE-2025-54068
Impact:
- Attackers can execute arbitrary commands without auth or user interaction.
- Exploitation requires a component to be mounted and configured in a particular way.
Mitigation:
- Update Livewire to v3.6.4 or later immediately.
- No known workaround available.
Exploitation Tool:
- Livepyre: A tool to exploit CVE-2025-54068, requires APP_KEY for some scenarios.
Usage Example:
Code
$ ./Livepyre.py -u https://target.com/