CVE-2025-54068

Name of the Vulnerable Software and Affected Versions Livewire versions 3.0.0 through 3.6.3

Description An issue in the Livewire full-stack framework for Laravel allows unauthenticated attackers to achieve remote command execution in specific scenarios. The problem arises from unsafe object unmarshaling during the hydration of certain component property updates. Hydration is the process of restoring a component's state from a serialized format. Exploitation does not require user interaction or authentication but requires a component to be mounted and configured in a specific manner. Real-world incidents include the installation of crypto miners and the creation of spam pages with permanent redirects to casino websites via a hidden WordPress installation.

Recommendations Update Livewire to version 3.6.4 or later.