# Livewire: remote command execution through unmarshaling

However, this mechanism comes with a critical vulnerability: a dangerous unmarshalling process can be exploited as long as an attacker is in possession of the APP_KEY of the application. By crafting malicious payloads, attackers can manipulate Livewire’s hydration process to execute arbitrary code, from simple function calls to stealthy remote command execution.

Finally, our research uncovered a pre-authenticated remote code execution vulnerability in Livewire, exploitable even without knowledge of the application’s APP_KEY. By analyzing Livewire’s recursive hydration mechanism, we found that attackers could inject malicious synthesizers through the updates field in Livewire requests, leveraging PHP’s loose typing and nested array handling. This technique bypasses checksum validation, allowing arbitrary object instantiation and leading to full system compromise.

Looking to improve your skills? Discover our **trainings** sessions! Learn more.

## Introduction

Livewire has rapidly become one of the most popular full-stack frameworks for Laravel, empowering developers to build dynamic, real-time interfaces with minimal JavaScript. As of 2025, Livewire is used in over **30% of new Laravel projects**, according to community surveys and GitHub trends, making it a cornerstone of modern Laravel development.

According to builtwith, there are currently more than 130K public instances of application based on Livewire.

Livewire uses the concepts of hydration and dehydration to manage component states. When a component is dehydrated, its state is saved and sent to the frontend with a checksum. Upon rehydration, the server verifies the checksum before restoring the component’s state. This ensures that the component’s state has not been altered during transit.

## Livewire hydration mechanism

### Example of a Livewire update chain

First, let’s see how Livewire is integrated on an actual Laravel project to better understand its purpose.

Consider the following simple quickstart example: a basic component that increments or decrements a counter. A Livewire component can be setup with only three files:

– A component stored in `app/Livewire/`:

“`
// app/Livewire/Counter.php count++; } public function decrement() { $this->count–; } public function render() { return view(‘livewire.counter’); } }
“`

– A route pointing to this component

“`
// routes/web.php <?php use IlluminateSupportFacadesRoute; use AppLivewireCounter; Route::get('/counter', Counter::class);
“`

– A blade referenced in the component

“`
// resources/views/livewire/counter.blade.php