chrispage1/livewire_scan.py

## livewire_scan.py
# Run this script as python3 ./livewire_scan.py
# This will find all composer.lock files and check for vulnerable versions

import os
import json
import re

# Vulnerability Definitions
# CVE-2025-54068 affects Livewire v3.0.0-beta.1 up to v3.6.3.
# Patched in v3.6.4.
VULNERABLE_MAJOR = 3
PATCHED_VERSION_TUPLE = (3, 6, 4)

def parse_version(version_str):
    """
    Parses a version string (e.g., 'v3.6.3', '3.6.3-beta') into a tuple of integers.
    Non-numeric suffixes are ignored for the comparison logic unless it's a specific beta check,
    but for this CVE, checking < 3.6.4 is generally sufficient for the v3 branch.
    """
    # Remove leading 'v' if present
    clean_ver = version_str.lstrip('v')

    # Simple regex to grab the numeric components
    match = re.match(r'^(\d+)\.(\d+)\.(\d+)', clean_ver)
    if match:
        return tuple(map(int, match.groups()))
    return None

def is_vulnerable(version_str):
    version_tuple = parse_version(version_str)

    if not version_tuple:
        return False

    major, minor, patch = version_tuple

    # This CVE is specific to Livewire v3.
    # Versions < 3 (Livewire v2) are NOT affected.
    if major != VULNERABLE_MAJOR:
        return False

    # Check if version is strictly less than 3.6.4
    if version_tuple < PATCHED_VERSION_TUPLE:
        return True

    return False

def check_composer_lock(file_path):
    try:
        with open(file_path, 'r', encoding='utf-8') as f:
            data = json.load(f)

        # composer.lock stores packages in a 'packages' list
        packages = data.get('packages', []) + data.get('packages-dev', [])

        for pkg in packages:
            if pkg.get('name') == 'livewire/livewire':
                version = pkg.get('version', '0.0.0')
                if is_vulnerable(version):
                    print(f"[VULNERABLE] Found Livewire {version} in: {file_path}")
                else:
                    # Optional: Uncomment to see safe versions
                    # print(f"[SAFE] Found Livewire {version} in: {file_path}")
                    pass
                return

    except json.JSONDecodeError:
        print(f"[ERROR] Could not parse JSON in: {file_path}")
    except PermissionError:
        print(f"[ERROR] Permission denied: {file_path}")
    except Exception as e:
        print(f"[ERROR] Error reading {file_path}: {e}")

def scan_directory(root_dir):
    print(f"Scanning {root_dir} for vulnerable Livewire versions (CVE-2025-54068)...")
    for root, dirs, files in os.walk(root_dir):
        if 'composer.lock' in files:
            check_composer_lock(os.path.join(root, 'composer.lock'))

if __name__ == "__main__":
    # Scan /home directory
    scan_directory('/home')
	# Run this script as python3 ./livewire_scan.py
	# This will find all composer.lock files and check for vulnerable versions

	import os
	import json
	import re

	# Vulnerability Definitions
	# CVE-2025-54068 affects Livewire v3.0.0-beta.1 up to v3.6.3.
	# Patched in v3.6.4.
	VULNERABLE_MAJOR = 3
	PATCHED_VERSION_TUPLE = (3, 6, 4)

	def parse_version(version_str):
	"""
	Parses a version string (e.g., 'v3.6.3', '3.6.3-beta') into a tuple of integers.
	Non-numeric suffixes are ignored for the comparison logic unless it's a specific beta check,
	but for this CVE, checking < 3.6.4 is generally sufficient for the v3 branch.
	"""
	# Remove leading 'v' if present
	clean_ver = version_str.lstrip('v')

	# Simple regex to grab the numeric components
	match = re.match(r'^(\d+)\.(\d+)\.(\d+)', clean_ver)
	if match:
	return tuple(map(int, match.groups()))
	return None

	def is_vulnerable(version_str):
	version_tuple = parse_version(version_str)

	if not version_tuple:
	return False

	major, minor, patch = version_tuple

	# This CVE is specific to Livewire v3.
	# Versions < 3 (Livewire v2) are NOT affected.
	if major != VULNERABLE_MAJOR:
	return False

	# Check if version is strictly less than 3.6.4
	if version_tuple < PATCHED_VERSION_TUPLE:
	return True

	return False

	def check_composer_lock(file_path):
	try:
	with open(file_path, 'r', encoding='utf-8') as f:
	data = json.load(f)

	# composer.lock stores packages in a 'packages' list
	packages = data.get('packages', []) + data.get('packages-dev', [])

	for pkg in packages:
	if pkg.get('name') == 'livewire/livewire':
	version = pkg.get('version', '0.0.0')
	if is_vulnerable(version):
	print(f"[VULNERABLE] Found Livewire {version} in: {file_path}")
	else:
	# Optional: Uncomment to see safe versions
	# print(f"[SAFE] Found Livewire {version} in: {file_path}")
	pass
	return

	except json.JSONDecodeError:
	print(f"[ERROR] Could not parse JSON in: {file_path}")
	except PermissionError:
	print(f"[ERROR] Permission denied: {file_path}")
	except Exception as e:
	print(f"[ERROR] Error reading {file_path}: {e}")

	def scan_directory(root_dir):
	print(f"Scanning {root_dir} for vulnerable Livewire versions (CVE-2025-54068)...")
	for root, dirs, files in os.walk(root_dir):
	if 'composer.lock' in files:
	check_composer_lock(os.path.join(root, 'composer.lock'))

	if __name__ == "__main__":
	# Scan /home directory
	scan_directory('/home')
No results found