Executive Summary
A critical remote code execution (RCE) vulnerability (CVE-2025-54068) has been identified in Laravel Livewire v3, a widely-used full-stack framework for building interactive frontends in Laravel applications. The flaw allows a remote, unauthenticated attacker to execute arbitrary commands on the underlying server without any credentials or user interaction.
CISA has added CVE-2025-54068 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. With over 53 million downloads and usage in more than 30% of new Laravel projects, the attack surface is enormous. Organizations running Livewire v3.0.0-beta.1 through v3.6.3 must upgrade to v3.6.4 immediately.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-54068 |
| CVSS Score | 9.8 (Critical) / 9.2 (CVSS v4.0) |
| CWE | CWE-94 — Improper Control of Code Generation (Code Injection) |
| Type | Remote Code Injection / Unauthenticated RCE |
| Attack Vector | Network |
| Attack Complexity | High (v4.0) / Low (v3.1) |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| Vendor | Livewire / Laravel |
| Product | Laravel Livewire |
| Affected Versions | 3.0.0-beta.1 through 3.6.3 |
| Fixed Version | 3.6.4 |
| CISA KEV Added | March 20, 2026 |
| Exploitation Status | Actively exploited in the wild |
| Exploit Tool | Livepyre (public PoC) |
Affected Versions
| Product | Affected Versions | Fixed Version | Action |
|---|---|---|---|
| Laravel Livewire | 3.0.0-beta.1 – 3.6.3 | 3.6.4 | Upgrade immediately |
| Laravel Livewire | v1.x, v2.x | Not affected | No action required |
Livewire v3 introduced significant architectural changes — the vulnerability is unique to the v3 hydration mechanism and does not affect v1 or v2.
Technical Analysis
Root Cause: Hydration Mechanism Bypass
Livewire v3 syncs state between server and browser via a "hydration" system:
- Dehydration: Component state is serialized and sent to the browser as JSON
- Rehydration (Hydration): On the next request, the serialized state is deserialized back into PHP objects on the server
The flaw exists in HandleComponents.php, where property updates are processed during rehydration without proper validation of synthetic tuples. Normally, Livewire protects this state with a cryptographic checksum signed by the application's APP_KEY. CVE-2025-54068 allowed attackers to bypass the checksum entirely — no knowledge of the APP_KEY is required.
Exploit Chain
By exploiting PHP's unserialize() behavior, researchers at Synacktiv identified a gadget chain using GuzzleHttp\Psr7\FnStream and PHP magic method __destruct to trigger arbitrary command execution during deserialization:
1. Attacker identifies a publicly reachable Livewire v3 application
2. No authentication required — any internet-facing Livewire app is a target
3. Attacker crafts a malicious Livewire component update HTTP request
4. The request contains a synthesized property update with an injected gadget payload
5. Livewire hydrates the component state without checksum validation (bypass)
6. GuzzleHttp FnStream gadget chain triggers __destruct during PHP GC
7. Arbitrary OS command executes in the context of the PHP/web server process
8. Attacker achieves full RCE — webshell, reverse shell, data exfiltrationLivepyre: Public Exploit Tool
Synacktiv released Livepyre, a tool that automates exploitation in two modes:
- Without APP_KEY (CVE-2025-54068): Only requires the target URL — no secret needed
- With APP_KEY: Exploits a separate design-level flaw for RCE on any Livewire v3 app where the key is known or leaked
The APP_KEY-dependent path remains unpatched. If your APP_KEY has ever been exposed (in .env files, git history, logs), your application remains at risk even on v3.6.4.
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Full server compromise via injected command execution |
| Data Exfiltration | Access to database, uploaded files, Laravel .env secrets |
| Webshell Installation | Persistent backdoor for ongoing unauthorized access |
| Credential Theft | Database passwords, API keys, APP_KEY, cloud credentials |
| Lateral Movement | Compromised server used as pivot into internal networks |
| Supply Chain Risk | Defacement, malicious redirects, or client-side attack delivery |
| APP_KEY Exposure Amplification | Even after patching, leaked APP_KEY enables a separate RCE path |
Immediate Remediation
Step 1: Upgrade Livewire to v3.6.4
# Upgrade Livewire via Composer
composer require livewire/livewire:"^3.6.4"
# Confirm the installed version
composer show livewire/livewire | grep versionsAlternatively, update your composer.json to require "livewire/livewire": "^3.6.4" and run composer update.
Step 2: Rotate Your APP_KEY (If Possibly Exposed)
# Generate a new APP_KEY
php artisan key:generate
# Clear all cached config
php artisan config:clear
php artisan cache:clear
# Invalidate all active sessions (forces re-authentication)
php artisan session:flushDo not skip this step if your .env file was ever committed to a repository, logged, or exposed — the APP_KEY-dependent exploit path is not fixed by the patch alone.
Step 3: Scan for Indicators of Compromise
# Look for PHP webshells in storage and upload directories
find /var/www/html/storage -name "*.php" -type f
find /var/www/html/public/livewire-tmp -name "*.php" -type f
# Check for unexpected PHP files outside vendor/
find /var/www/html -name "*.php" -newer /var/www/html/composer.lock \
-not -path "*/vendor/*" -type f
# Review recent POST requests to Livewire endpoints in access logs
grep -E "POST.*/livewire/(update|upload-file|preview-file)" \
/var/log/nginx/access.log | tail -500
# Look for outbound connections from PHP processes (reverse shells)
ss -antp | grep phpStep 4: Temporary Mitigation (If Immediate Patching Is Blocked)
If you cannot upgrade immediately, restrict external access to Livewire endpoints via your web server:
# Nginx — block Livewire update endpoint from external requests
location ~ ^/livewire/(update|upload-file|preview-file) {
allow 127.0.0.1;
deny all;
return 403;
}# Apache — block Livewire endpoints
<LocationMatch "^/livewire/(update|upload-file|preview-file)">
Require ip 127.0.0.1
</LocationMatch>Detection Indicators
| Indicator | Description |
|---|---|
Unexpected PHP files in /storage/ or public upload dirs | Webshell planted post-exploitation |
Anomalous POST requests to /livewire/update | Exploitation attempt in progress |
| Long or base64-encoded request bodies to Livewire endpoints | Injection payload delivery |
| Outbound TCP connections originating from web server process | Reverse shell or C2 beaconing |
| New or modified files in web root with recent timestamps | Post-exploitation persistence |
| Unexpected cron jobs, SSH keys, or user accounts | Attacker persistence mechanisms |
Processes spawned by php-fpm or apache2 executing curl, wget, bash | Live exploitation |
Post-Remediation Checklist
- Upgrade Livewire to v3.6.4 across all environments (dev, staging, production)
- Rotate
APP_KEYand clear all cached config — especially if the key may have been exposed - Invalidate all user sessions after key rotation
- Audit PHP files in storage, upload, and public directories for webshells
- Review access logs for suspicious POST requests to
/livewire/updateprior to patching - Check for unauthorized admin/SSH accounts created post-exploitation
- Review scheduled tasks and cron jobs for attacker persistence
- Enable WAF rules to detect and block oversized or malformed Livewire requests
- Monitor outbound connections from the PHP/web server process
- Audit git history — if
.envwas ever committed, rotate all secrets immediately - Enable two-factor authentication on all application admin accounts
- Notify your incident response team if any IOCs are confirmed
References
- NVD — CVE-2025-54068
- CISA Known Exploited Vulnerabilities Catalog
- Synacktiv Research: Livewire Remote Command Execution via Unmarshaling
- Laravel News — Livewire Security Vulnerability
- SecurityOnline — Critical Flaw in Livewire Exposes Laravel Apps to Stealthy RCE
- Securing Laravel — Security Notice: Livewire v3 RCE