Livewire 3.x < 3.6.4 Remote Code Execution

critical Web App Scanning Plugin ID 115113

Language:

Synopsis

Livewire 3.x < 3.6.4 Remote Code Execution

Description

Livewire is a full-stack framework for Laravel that makes building dynamic interfaces simple, without leaving the comfort of Laravel.

A remote code execution vulnerability exists in Livewire versions prior to 3.6.4 due to improper handling of serialized data during the component hydration process. An attacker can exploit this vulnerability by sending a specially crafted request containing malicious serialized data to the server, which is then deserialized and executed, allowing the attacker to execute arbitrary code on the server.

Note: Depending on the identified version of Livewire, the plugin indicates that the website is **potentially** vulnerable if it uses version 3.6.3 (vulnerable) or 3.6.4 (patched).

Solution

Upgrade to Livewire version 3.6.4 or later.

See Also

https://github.com/livewire/livewire/commit/ef04be759da41b14d2d129e670533180a44987dc

https://github.com/livewire/livewire/releases/tag/v3.6.4

https://github.com/livewire/livewire/security/advisories/GHSA-29cq-5w36-x7w3

https://www.synacktiv.com/en/publications/livewire-remote-command-execution-through-unmarshaling

Plugin Details

Severity: Critical

ID: 115113

Type: remote

Family: Component Vulnerability

Published: 1/15/2026

Updated: 1/19/2026

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Critical

Score: 9.2

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-54068

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2025-54068

CVSS v4

Risk Factor: Critical

Base Score: 9.2

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2025-54068

Vulnerability Information

CPE: cpe:2.3:a:laravel:livewire:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/17/2025

Vulnerability Publication Date: 7/16/2025

Reference Information

CVE: CVE-2025-54068

CWE: 94

OWASP: 2010-A1, 2013-A1, 2013-A9, 2017-A1, 2017-A9, 2021-A3, 2021-A6

WASC: OS Commanding

CAPEC: 242, 35, 77

DISA STIG: APSC-DV-002510, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10

OWASP API: 2019-API7, 2019-API8, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.2.5

PCI-DSS: 3.2-6.2, 3.2-6.5.1