Livewire vulnerable to remote command execution during property update hydration
Description
Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
livewire/livewirePackagist | >= 3.0.0-beta.1, < 3.6.4 | 3.6.4 |
Affected products
1- livewire/livewirev5Range: >= 3.0.0-beta.1, < 3.6.4
Patches
1ef04be759da4Fix property update hydration
1 file changed · +19 −1
src/Mechanisms/HandleComponents/HandleComponents.php+19 −1 modified@@ -216,6 +216,24 @@ protected function hydrate($valueOrTuple, $context, $path) }); } + protected function hydratePropertyUpdate($valueOrTuple, $context, $path, $raw) + { + if (! Utils::isSyntheticTuple($value = $tuple = $valueOrTuple)) return $value; + + [$value, $meta] = $tuple; + + // Nested properties get set as `__rm__` when they are removed. We don't want to hydrate these. + if ($this->isRemoval($value) && str($path)->contains('.')) { + return $value; + } + + $synth = $this->propertySynth($meta['s'], $context, $path); + + return $synth->hydrate($value, $meta, function ($name, $child) use ($context, $path, $raw) { + return $this->hydrateForUpdate($raw, "{$path}.{$name}", $child, $context); + }); + } + protected function render($component, $default = null) { if ($html = store($component)->get('skipRender', false)) { @@ -339,7 +357,7 @@ protected function hydrateForUpdate($raw, $path, $value, $context) // If we have meta data already for this property, let's use that to get a synth... if ($meta) { - return $this->hydrate([$value, $meta], $context, $path); + return $this->hydratePropertyUpdate([$value, $meta], $context, $path, $raw); } // If we don't, let's check to see if it's a typed property and fetch the synth that way...
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-29cq-5w36-x7w3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-54068ghsaADVISORY
- github.com/livewire/livewire/commit/ef04be759da41b14d2d129e670533180a44987dcghsax_refsource_MISCWEB
- github.com/livewire/livewire/releases/tag/v3.6.4ghsax_refsource_MISCWEB
- github.com/livewire/livewire/security/advisories/GHSA-29cq-5w36-x7w3ghsax_refsource_CONFIRMWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
- www.threathunter.ai/blog/iranian-threat-actor-tools-techniques-iocs-ioasghsaWEB
News mentions
0No linked articles in our index yet.