Dyad Vulnerable to Remote Code Execution via Top-level Navigation in Preview Window
wordt vertaald…Platform
other
Component
dyad
Opgelost in
0.20.1
A critical Remote Code Execution (RCE) vulnerability (CVE-2025-58766) has been identified in Dyad, a local AI app builder. This vulnerability allows attackers to execute arbitrary code on a user's system, potentially leading to complete system compromise. The issue affects Dyad versions 0.19.0 and earlier, and a fix is available in version 0.20.0 and later.
Impact en Aanvalsscenarioswordt vertaald…
The vulnerability resides within Dyad's preview window functionality. An attacker can craft malicious web content that, when loaded within the preview, bypasses Docker container protections and executes arbitrary code on the host system. This effectively breaks the application's security boundaries, granting the attacker control over the underlying operating system. The potential impact is severe, including data theft, malware installation, and complete system takeover. The ability to bypass containerization significantly increases the attack surface and potential for widespread compromise, particularly in environments where Dyad is deployed within containerized infrastructure.
Uitbuitingscontextwordt vertaald…
This vulnerability is considered highly critical due to the ease of exploitation and the potential for complete system compromise. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's nature and the high CVSS score. As of the publication date (2025-09-17), there are no reports of active exploitation campaigns, but the vulnerability's severity warrants immediate attention. The vulnerability has not been added to the CISA KEV catalog at the time of writing.
Wie Loopt Risicowordt vertaald…
Developers and users of Dyad who are running versions 0.19.0 or earlier are at significant risk. This includes individuals using Dyad for local AI app development and organizations deploying Dyad within their development environments, particularly those utilizing containerization technologies where the bypass of container protections amplifies the potential impact.
Detectiestappenwordt vertaald…
• windows / supply-chain: Monitor PowerShell execution for suspicious commands related to Dyad's preview functionality. Check scheduled tasks for any unusual entries associated with Dyad.
Get-Process -Name Dyad | Select-Object -ExpandProperty Path• linux / server: Examine system logs (journalctl) for errors or unusual activity related to Dyad's preview process. Use lsof to identify any unexpected files or network connections associated with Dyad.
lsof -p $(pidof Dyad)• generic web: Monitor access logs for requests containing suspicious parameters or payloads targeting Dyad's preview endpoint. Inspect response headers for unexpected content or redirects.
Aanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.04% (10% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Laag — elk geldig gebruikersaccount is voldoende.
- User Interaction
- Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
- Scope
- Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation is to immediately upgrade Dyad to version 0.20.0 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider isolating Dyad instances from external networks to prevent potential exploitation. While a direct workaround is unavailable, implementing strict content security policies (CSP) within the Dyad application itself, if possible, could help mitigate the risk of malicious content execution. Monitor network traffic for unusual activity originating from Dyad instances, particularly requests to external domains or unexpected outbound connections.
Hoe te verhelpenwordt vertaald…
Actualice Dyad a la versión 0.20.0 o posterior. Esta actualización corrige la vulnerabilidad de ejecución remota de código en la ventana de vista previa. La actualización se puede realizar descargando la última versión desde el sitio web oficial o utilizando el mecanismo de actualización integrado en la aplicación.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-58766 — Remote Code Execution in Dyad?
CVE-2025-58766 is a critical RCE vulnerability in Dyad AI App Builder versions 0.19.0 and earlier, allowing attackers to execute arbitrary code via crafted web content in the preview window.
Am I affected by CVE-2025-58766 in Dyad?
Yes, if you are using Dyad version 0.19.0 or earlier, you are affected by this vulnerability and should upgrade immediately.
How do I fix CVE-2025-58766 in Dyad?
Upgrade Dyad to version 0.20.0 or later to resolve this vulnerability. If immediate upgrade is not possible, isolate Dyad instances and implement strict content security policies.
Is CVE-2025-58766 being actively exploited?
As of the publication date, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate action.
Where can I find the official Dyad advisory for CVE-2025-58766?
Refer to the official Dyad security advisory for detailed information and updates regarding CVE-2025-58766.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.