CVE-2025-54068

Name of the Vulnerable Software and Affected Versions Livewire versions 3.0.0 through 3.6.3

Description An issue in the Livewire full-stack framework for Laravel allows unauthenticated attackers to achieve remote command execution in specific scenarios. The problem arises from unsafe object unmarshaling during the hydration of certain component property updates. Exploitation requires a component to be mounted and configured in a particular way but does not require user interaction. Real-world incidents include the creation of spam pages, unauthorized redirects for SEO manipulation, and the installation of cryptocurrency miners on affected servers.

Recommendations Update Livewire to version 3.6.4 or later.