CVE-2025-54068

What is Laravel Livewire?

Laravel Livewire is a full-stack component framework for the Laravel PHP web framework, used by developers to build dynamic, reactive web interfaces without writing JavaScript. Livewire v3 powers a large number of Laravel web applications globally — it is one of the most popular Laravel ecosystem packages with millions of downloads. Livewire components maintain state between server and client through a "hydration/dehydration" cycle: component state is serialized (dehydrated) for the HTTP response and then deserialized (hydrated) on subsequent requests. This state synchronization mechanism is the attack surface for this vulnerability.

Overview

CVE-2025-54068 is a critical code injection vulnerability (CWE-94) in Laravel Livewire v3's hydration mechanism. The updates processing pathway fails to enforce strict typing on component properties, allowing attacker-controlled synthesizer class names to be smuggled into the hydration context. This enables object instantiation during hydration that the application did not intend, escalating to arbitrary PHP code execution and full RCE. In specific scenarios this is exploitable without authentication and without knowledge of the application's Laravel APP_KEY. Synacktiv discovered the vulnerability, presented at Nullcon 2025, and released a PoC tool (Livepyre). CISA added the CVE to the KEV catalog 8 months after the patch, confirming exploitation of long-tail unpatched deployments by MuddyWater.

Affected Versions

No workaround exists — upgrade to v3.6.4 is the only remediation.

Technical Details

The vulnerability (CWE-94: Code Injection) is in Livewire v3's component hydration system. Livewire serializes component state into JSON (the "snapshot") that is embedded in the page and sent back in subsequent requests. The updates array in the request is processed by synthesizer classes that handle specific PHP types.

Two exploitation paths exist:

1. Without APP_KEY (unauthenticated, no HMAC required in specific scenarios): The updates mechanism fails to enforce strict type checking on property values. An attacker can craft a request that injects synthesizer class names via the updates pathway, exploiting PHP's loose typing to coerce a simple scalar value (e.g., an integer counter) into an unexpected type. This triggers unintended synthesizer instantiation during hydration, which can chain into arbitrary code execution via existing PHP classes on the server.

2. With APP_KEY known: Attacker chains Livewire synthesizer classes to craft a snapshot payload achieving stealthy RCE via recursive hydration — essentially a PHP deserialization gadget chain using Livewire's own type system as the gadget.

Synacktiv released Livepyre, an open-source PoC tool demonstrating exploitation, alongside the full technical writeup at Nullcon 2025. The combination of public PoC, widespread Livewire v3 adoption, and delayed patching by many organizations resulted in the long-tail exploitation CISA confirmed 8 months later.

Discovery

Discovered by Synacktiv (French security research firm). Full technical writeup published at https://www.synacktiv.com/en/publications/livewire-remote-command-execution-through-unmarshaling with PoC tool Livepyre released on GitHub. Presented at Nullcon 2025.

Exploitation Context

Active exploitation confirmed by the time CISA added CVE-2025-54068 to the KEV catalog on 20 March 2026 — approximately 8 months after the patch was available. The 8-month delay between patch and KEV listing indicates sustained exploitation of unpatched deployments in the long tail after initial disclosure. MuddyWater (Static Kitten, Mango Sandstorm, G0069 — Iranian state-sponsored APT) has been linked to exploitation campaigns targeting diplomatic and critical infrastructure sectors (energy, finance). The public Livepyre PoC lowered the technical bar, enabling both state-sponsored actors and opportunistic criminals to exploit the vulnerability.

Remediation

1. Upgrade Livewire to v3.6.4 or later immediately via Composer: composer update livewire/livewire.
2. Verify the installed version: composer show livewire/livewire — confirm it shows 3.6.4 or higher.
3. No workaround exists — upgrade is the only fix. There is no configuration change or WAF rule that fully mitigates this vulnerability.
4. Audit application logs for unusual Livewire hydration requests — look for requests with unexpected synthesizer class names or unusual snapshot structures.
5. Review server filesystem for newly created PHP files (webshells) in public-accessible directories.
6. Rotate application credentials stored in .env (database passwords, API keys) if compromise is suspected — these are accessible to RCE payloads.
7. Enable Laravel Telescope or application-level logging to capture and review all Livewire wire requests from suspicious IP addresses.