← Retour aux CVEs

CVE-2025-54068

CRITICALCISA KEV

9.8

Description

Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.

Details CVE

Score CVSS v3.19.8

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie7/17/2025

Derniere modification3/20/2026

Sourcenvd

Observations honeypot0

CISA KEV

FournisseurLaravel

ProduitLivewire

Nom vulnerabiliteLaravel Livewire Code Injection Vulnerability

Date ajout KEV2026-03-20

Date limite remediation2026-04-03

Utilise dans ransomwareUnknown

Produits affectes

laravel:livewire

Faiblesses (CWE)

CWE-94

References

https://github.com/livewire/livewire/commit/ef04be759da41b14d2d129e670533180a44987dc(security-advisories@github.com)

https://github.com/livewire/livewire/releases/tag/v3.6.4(security-advisories@github.com)

https://github.com/livewire/livewire/security/advisories/GHSA-29cq-5w36-x7w3(security-advisories@github.com)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54068(134c704f-9b21-4f2e-91b3-4a467353bcc0)

https://www.threathunter.ai/blog/iranian-threat-actor-tools-techniques-iocs-ioas/(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.