CVE-2025-54068 : Deep dive into Livewire, from weak typing to pre-authenticated remote command execution
| Action | Key |
|---|---|
| Play / Pause | K or space |
| Mute / Unmute | M |
| Toggle fullscreen mode | F |
| Select next subtitles | C |
| Select next audio track | A |
| Toggle automatic slides maximization | V |
| Seek 5s backward | left arrow |
| Seek 5s forward | right arrow |
| Seek 10s backward | shift + left arrow or J |
| Seek 10s forward | shift + right arrow or L |
| Seek 60s backward | control + left arrow |
| Seek 60s forward | control + right arrow |
| Seek 1 frame backward | alt + left arrow |
| Seek 1 frame forward | alt + right arrow |
| Decrease volume | shift + down arrow |
| Increase volume | shift + up arrow |
| Decrease playback rate | < |
| Increase playback rate | > |
| Seek to end | end |
| Seek to beginning | beginning |
Share this media
HLS video stream
You can use an external player to play this stream (like VLC).
HLS video streamWhen subscribed to notifications, an email will be sent to you for all added annotations.
Your user account has no email address.
Information on this media
CVE-2025-54068 exposed a critical vulnerability in Livewire, a popular full-stack framework for Laravel, enabling pre-authenticated remote command execution (RCE) by exploiting PHP’s weak typing and Livewire’s hydration mechanism. According to GitHub, Livewire was downloaded more than 74 million times, making it one of the most used Laravel dependency ever. Traditionally, Livewire protects its state with a checksum signed by the application’s APP_KEY. However, this vulnerability allowed attackers to bypass the APP_KEY requirement entirely by smuggling synthesizers through the updates mechanism, effectively breaking the state synchronization between server and browser. The root cause lies in Livewire’s component property update hydration process, where recursive calls and improper context preservation enabled malicious payload injection. Exploitation required only the target application’s URL, making it accessible to unauthenticated attackers. The vulnerability affected Livewire versions from 3.0.0-beta.1 up to 3.6.3, and was patched in version 3.6.4. This talk will detail the technical chain from weak typing to RCE, demonstrate the exploit process, discuss the hardening measures implemented by Livewire to prevent similar issues in the future and more especially, show the consequences being the publication of the associated proof of concept during the end of last year.
Other media in the channel "2026"
7 views, 7 this year, 7 this monthDesktopRanger Blocks Keystroke Spying: Hardening Windows Desktop IsolationJuly 1st, 2026
5 views, 5 this year, 5 this monthRust, PAM and Typestate: Cooking up spotless authentication with nonstickJuly 2nd, 2026
4 views, 4 this year, 4 this monthFractum: an open-source CLI for Threshold-Based Cold Storage of Critical SecretsJuly 2nd, 2026
18 views, 18 this year, 18 this monthKeibiDrop: Post-Quantum Encrypted Peer-to-Peer File Transfer Without the CloudJuly 2nd, 2026
9 views, 9 this year, 9 this monthOblivious HTTP - when the server does not want to see your IPJuly 2nd, 2026
20 views, 20 this year, 20 this monthYour credentials were leaked, so what?July 2nd, 2026