Listen to this Post
The vulnerability in Livewire v3 up to v3.6.3 stems from insecure hydration of component property updates. When a Livewire component is mounted, it defines public properties that can be updated from the frontend. The framework uses a hydration process to deserialize these properties from the request payload. In affected versions, certain property types, particularly those tied to Eloquent models or custom objects, can be manipulated to trigger unintended code execution. The attack exploits how Livewire handles “model” bindings and the `Wireable` interface. An attacker can craft a malicious payload that, when sent during a component update, forces the hydration process to invoke dangerous methods or instantiate arbitrary classes. This bypasses standard input sanitization because the hydration layer trusts the structure of serialized data. The vulnerability is unique to Livewire v3 due to changes in the property update lifecycle and the of a new hydration system. Successful exploitation requires the targeted component to use specific patterns, such as `
` properties or public properties bound to models, but no authentication or user interaction is needed. The issue was patched in v3.6.4 by implementing stricter validation during hydration and preventing the instantiation of arbitrary classes from user-controlled data.
Platform: Livewire (Laravel)
Version: 3.0-3.6.3
Vulnerability: Remote Command Execution
Severity: Critical (9.2)
date: 2026-03-23
<h2 style="color: blue;">Prediction: Already released (3.6.4)</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
<h2 style="color: blue;">Analytics</h2>
The vulnerability presents a high-impact attack vector with low complexity once the specific component configuration is met. Given the CVSS 4.0 score of 9.2 and the lack of authentication requirements, this is a critical supply-chain risk for Laravel applications. Exploitation patterns likely involve crafted POST requests to Livewire update endpoints.
<h2 style="color: blue;">Bash Commands / Code</h2>
[bash]
Check installed Livewire version
composer show livewire/livewire | grep versions
Example vulnerable component property (pseudo-code)
public $model;
public function mount(User $user) { $this->model = $user; }
Example malicious payload structure (conceptual)
{
"components": [{
"snapshot": {
"data": {
"model": {
"class": "Symfony\Component\Process\Process",
"key": "malicious",
"arguments": ["whoami"]
}
}
}
}]
}
Exploit
An unauthenticated attacker sends a crafted POST request to the Livewire update endpoint (/livewire/update). The payload includes a serialized object that, when hydrated, instantiates a class like `Symfony\Component\Process\Process` or invokes a `__call` method on an Eloquent model, leading to arbitrary command execution on the server.
Protection
Upgrade to Livewire v3.6.4 or later immediately. If immediate upgrade is impossible, restrict access to Livewire update routes to trusted networks only and audit all components for use of public properties bound to models or objects that implement Wireable.
Impact
Remote command execution leading to full server compromise, data exfiltration, and lateral movement within the internal network. The vulnerability requires no authentication, making it a critical risk for any publicly accessible Laravel application using vulnerable Livewire versions.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

