← Volver a CVEs

CVE-2025-54068

CRITICALCISA KEV

9.8

Descripcion

Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.

Detalles CVE

Puntuacion CVSS v3.19.8

SeveridadCRITICAL

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado7/17/2025

Ultima modificacion3/20/2026

Fuentenvd

Avistamientos honeypot0

CISA KEV

VendedorLaravel

ProductoLivewire

Nombre vulnerabilidadLaravel Livewire Code Injection Vulnerability

Fecha inclusion KEV2026-03-20

Fecha limite remediacion2026-04-03

Uso en ransomwareUnknown

Productos afectados

laravel:livewire

Debilidades (CWE)

CWE-94

Referencias

https://github.com/livewire/livewire/commit/ef04be759da41b14d2d129e670533180a44987dc(security-advisories@github.com)

https://github.com/livewire/livewire/releases/tag/v3.6.4(security-advisories@github.com)

https://github.com/livewire/livewire/security/advisories/GHSA-29cq-5w36-x7w3(security-advisories@github.com)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54068(134c704f-9b21-4f2e-91b3-4a467353bcc0)

https://www.threathunter.ai/blog/iranian-threat-actor-tools-techniques-iocs-ioas/(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.