CVE-2025-54068: Unauthenticated Code Injection in Laravel Livewire Enables Remote Command Execution

CVE ID: CVE-2025-54068 Vendor: Laravel Product: Livewire Patch Deadline (CISA KEV): April 3, 2026 (federal agencies)

Vulnerability Overview

CVE-2025-54068 is a code injection vulnerability affecting Laravel Livewire, the full-stack component framework widely used to build dynamic interfaces within Laravel PHP applications. Unpatched versions of Livewire permit unauthenticated remote attackers to inject and execute arbitrary code on affected servers under specific application configuration or usage conditions.

The flaw is classified as a remote code execution (RCE) vulnerability with an unauthenticated attack vector, meaning no valid credentials or session tokens are required to exploit it. Successful exploitation gives the attacker code execution with the privileges of the web server process — typically the same account running PHP-FPM, Apache, or Nginx. Depending on server hardening posture, this can translate directly to full system compromise, data exfiltration, or deployment of persistent backdoors.

CISA has added CVE-2025-54068 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that all U.S. federal agencies remediate by April 3, 2026.

Technical Details

Laravel Livewire operates by serializing and deserializing component state between the browser and server, handling component lifecycle events through AJAX requests. The vulnerability exists in how Livewire processes specific inputs tied to component handlers or configuration parameters. Under affected configurations, attacker-controlled input passes through code execution pathways without sufficient sanitization or validation, enabling injection of arbitrary PHP code or OS-level commands.

The attack vector is network-accessible. No authentication, privilege, or user interaction is required. The exploitable condition depends on application-specific configuration or usage patterns, which narrows the universal attack surface but does not eliminate risk — many production Laravel deployments use Livewire with default or minimally customized configurations that may satisfy the triggering conditions.

No public CVSS score has been confirmed at time of publication. Given the unauthenticated RCE classification and network attack vector, a CVSS v3.1 base score in the 9.0–9.8 range is consistent with vulnerabilities of this type and severity.

Affected Products

All Laravel Livewire versions prior to the patched release are affected. Organizations running Laravel applications that include the livewire/livewire Composer package should treat all pre-patch versions as vulnerable until confirmed otherwise. Multi-tenant SaaS platforms, e-commerce applications, and enterprise dashboards built on Laravel are commonly exposed.

Real-World Impact

Laravel powers a significant share of PHP web applications globally, and Livewire is a first-party supported package with widespread adoption across development teams that favor rapid UI development without leaving the PHP stack. An unauthenticated RCE vulnerability in this component exposes backend servers, application databases, environment credentials (.env files), cloud provider API keys, and internal network infrastructure to attackers who can reach the web endpoint.

Web-facing Livewire components are accessible without authentication by design in many applications, making exploitation straightforward for any attacker who can send HTTP requests to the target. Post-exploitation activity typically includes credential harvesting from .env files, lateral movement through internal networks, and installation of web shells or reverse shells for persistent access.

No specific threat actor has been publicly attributed to active exploitation of CVE-2025-54068 at time of publication. The CISA KEV listing indicates confirmed exploitation activity exists and warrants urgent response.

Detection Guidance

SOC analysts should review web application and server logs for anomalous requests targeting Livewire component endpoints — commonly identifiable by routes or POST requests to /livewire/message or similar handler paths. Look for unexpected payloads containing PHP function names, shell command strings, or encoded payloads in Livewire component data fields.

Enable alerting on:

  • Unusual process spawning from web server processes (e.g., www-data or apache spawning bash, sh, curl, or wget)
  • Outbound network connections initiated by the web application process to external IPs
  • File writes to web-accessible directories by the application user

Deploy WAF rules targeting Livewire request patterns with suspicious payload characteristics as a detection layer, not solely as a prevention control.

Patching and Mitigation

Primary action: Update Laravel Livewire to the latest patched version immediately. Consult the Laravel security advisories page and the official livewire/livewire GitHub repository for the specific patched release version and changelog details. Use Composer to update: composer update livewire/livewire.

If immediate patching is not possible:

  1. Restrict access to Livewire endpoints using WAF rules or IP allowlists. Block or rate-limit POST requests to /livewire/message and related paths from untrusted sources.
  2. Audit current Livewire usage across all application components to identify configurations that may satisfy the vulnerability's triggering conditions.
  3. Rotate all credentials stored in .env files and secrets managers accessible to the web application process as a precautionary measure.
  4. Review application logs retroactively for signs of exploitation, covering the full window since the CVE disclosure date.

Federal agencies operating under CISA BOD 22-01 must complete remediation by April 3, 2026. All other organizations should treat this as a critical-priority patch given the unauthenticated RCE attack vector and active exploitation confirmation.