2026-07-01 –, Amphitheater 122
CVE-2025-54068 exposed a critical vulnerability in Livewire, a popular full-stack framework for Laravel, enabling pre-authenticated remote command execution (RCE) by exploiting PHP’s weak typing and Livewire’s hydration mechanism. According to GitHub, Livewire was downloaded more than 74 million times, making it one of the most used Laravel dependency ever.
Traditionally, Livewire protects its state with a checksum signed by the application’s APP_KEY. However, this vulnerability allowed attackers to bypass the APP_KEY requirement entirely by smuggling synthesizers through the updates mechanism, effectively breaking the state synchronization between server and browser.
The root cause lies in Livewire’s component property update hydration process, where recursive calls and improper context preservation enabled malicious payload injection. Exploitation required only the target application’s URL, making it accessible to unauthenticated attackers. The vulnerability affected Livewire versions from 3.0.0-beta.1 up to 3.6.3, and was patched in version 3.6.4.
This talk will detail the technical chain from weak typing to RCE, demonstrate the exploit process, discuss the hardening measures implemented by Livewire to prevent similar issues in the future and more especially, show the consequences being the publication of the associated proof of concept during the end of last year.
Livewire traditionally secures its state using a checksum signed by the application’s APP_KEY. However, CVE-2025-54068 allowed attackers to bypass this protection entirely by smuggling synthesizers through the updates mechanism, disrupting the synchronization between server and browser. The root cause has been found in Livewire’s component property update hydration process, where recursive calls and improper context preservation created an opening for malicious payload injection. Exploitation required only the target application’s URL, making it accessible to unauthenticated attackers and significantly lowering the barrier to attack.
To automate the exploitation of CVE-2025-54068, we released Livepyre last December, an open-source tool on our GitHub page. The tool simplifies the process by identifying vulnerable Livewire installations and attempting to achieve RCE either by leveraging object types in the application’s snapshot or through a targeted brute-force approach. Livepyre’s release not only demonstrated the practical risk of the vulnerability but also served as a proof-of-concept to raise awareness and encourage rapid patching within the Laravel and Livewire communities.
Even tho the vulnerability was patched during July 2025, many servers were not protected against it on the internet. The vulnerability affected Livewire versions from 3.0.0-beta.1 up to 3.6.3, and was patched in version 3.6.4. Its severity was underscored by its inclusion in advisories from CISA (Cybersecurity and Infrastructure Security Agency) after a worldwide spread by threat actors during the start of 2026, highlighting the risk to a vast number of applications and the urgency for immediate patching.
I am Rémi Matasse (pseudo Remsio), a pentester that worked at Synacktiv for the past four years, passionated by offensive web security, especially on anything related to PHP.
I passed some years working on concrete PHP filters chain exploitation, documenting it in blogpost and presenting it in several conferences such as Nullcon or hack.lu.
I then decided to focus on the Laravel since we often come across this framework during audits before jumped in with both feet on exploitation based on APP_KEY leaks.
Cybersecurity Researcher at Depi focused on software supply chain security.