SCA: security update for livewire/livewire (GHSA-29cq-5w36-x7w3)

critical Tenable Cloud Security Plugin ID 428439

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability
allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue
stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire
v3 and does not affect prior major versions. Exploitation requires a component to be mounted and
configured in a particular way, but does not require authentication or user interaction. This issue has
been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as
soon as possible. No known workarounds are available. (CVE-2025-54068)

Solution

Update the livewire/livewire library and its related packages to version 3.6.4 or later.

See Also

https://github.com/advisories/GHSA-29cq-5w36-x7w3

Plugin Details

Severity: Critical

ID: 428439

Version: Revision 1.21

Type: Local

Family: SCA Checks

Published: 7/18/2025

Updated: 7/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.9

Percentile: 99.36

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-54068

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.2

Threat Score: 9.2

Threat Vector: CVSS:4.0/E:A

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/17/2025

Vulnerability Publication Date: 7/17/2025

CISA Known Exploited Vulnerability Due Dates: 4/3/2026

Reference Information

CVE: CVE-2025-54068

cwe: CWE-94