CVE-2025-54068 : Deep dive into Livewire, from weak typing to pre-authenticated remote command execution
Rémi Matasse (Security research, Synacktiv), Pierre Martin (Security Researcher, Depi)
CVE-2025-54068 exposed a critical vulnerability in Livewire, a popular full-stack framework for Laravel, enabling pre-authenticated remote command execution (RCE) by exploiting PHP’s weak typing and Livewire’s hydration mechanism. According to GitHub, Livewire was downloaded more than 74 million times, making it one of the most used Laravel dependency ever.
Traditionally, Livewire protects its state with a checksum signed by the application’s APP_KEY. However, this vulnerability allowed attackers to bypass the APP_KEY requirement entirely by smuggling synthesizers through the updates mechanism, effectively breaking the state synchronization between server and browser.
The root cause lies in Livewire’s component property update hydration process, where recursive calls and improper context preservation enabled malicious payload injection. Exploitation required only the target application’s URL, making it accessible to unauthenticated attackers. The vulnerability affected Livewire versions from 3.0.0-beta.1 up to 3.6.3, and was patched in version 3.6.4.
This talk will detail the technical chain from weak typing to RCE, demonstrate the exploit process, discuss the hardening measures implemented by Livewire to prevent similar issues in the future and more especially, show the consequences being the publication of the associated proof of concept during the end of last year.