GHSA-29cq-5w36-x7w3

Source

https://github.com/advisories/GHSA-29cq-5w36-x7w3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-29cq-5w36-x7w3/GHSA-29cq-5w36-x7w3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-29cq-5w36-x7w3

Aliases

CVE-2025-54068

Published

2025-07-17T20:26:45Z

Modified

2025-07-17T22:23:01.524034Z

Severity

9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Livewire is vulnerable to remote command execution during component property update hydration

Details

Impact

In Livewire v3 (≤ 3.6.3), a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction.

Patches

This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible.

Workarounds

There is no known workaround at this time. Users are strongly advised to upgrade to a patched version immediately.

Resources

No public references available at this time to avoid exposure. Details will be published after a responsible disclosure window.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed_at": "2025-07-17T20:26:45Z",
    "nvd_published_at": "2025-07-17T19:15:25Z"
}

References

Affected packages

Packagist / livewire/livewire

Package

Name: livewire/livewire
Purl: pkg:composer/livewire/livewire

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0-beta.1

Fixed

3.6.4

Affected versions

v3.*

v3.0.0-beta.1

v3.0.0-beta.2

v3.0.0-beta.3

v3.0.0-beta.4

v3.0.0-beta.5

v3.0.0-beta.6

v3.0.0-beta.7

v3.0.0-beta.8

v3.0.0-beta.9

v3.0.0-beta.10

v3.0.0-beta.11

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

v3.0.10

v3.1.0

v3.2.0

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.4.0

v3.4.1

v3.4.2

v3.4.3

v3.4.4

v3.4.5

v3.4.6

v3.4.7

v3.4.8

v3.4.9

v3.4.10

v3.4.11

v3.4.12

v3.5.0

v3.5.1

v3.5.2

v3.5.3

v3.5.4

v3.5.5

v3.5.6

v3.5.7

v3.5.8

v3.5.9

v3.5.10

v3.5.11

v3.5.12

v3.5.13

v3.5.14

v3.5.15

v3.5.16

v3.5.17

v3.5.18

v3.5.19

v3.5.20

v3.6.0

v3.6.1

v3.6.2

v3.6.3