Laravel Livewire
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Laravel Livewire.
By the Year
In 2025 there have been 0 vulnerabilities in Laravel Livewire. Last year, in 2024 Livewire had 2 security vulnerabilities published. Right now, Livewire is on track to have less security vulnerabilities in 2025 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 0 | 0.00 |
| 2024 | 2 | 9.30 |
It may take a day or so for new Livewire vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Laravel Livewire Security Vulnerabilities
Livewire RCE via Unvalidated File Extension (before 2.12.7/3.5.2)
CVE-2024-47823
9.8 - Critical
- October 08, 2024
Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a .php file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute .php files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Unrestricted File Upload
Livewire <3.0.4 CSRF Remote Code Exec via getCsrfToken
CVE-2024-22859
8.8 - High
- February 01, 2024
Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function. NOTE: the vendor disputes this because the 5d88731 commit fixes a usability problem (HTTP 419 status codes for legitimate client activity), not a security problem.
Session Riding
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Laravel Livewire or by Laravel? Click the Watch button to subscribe.
