CVE-2025-58766 is a critical code injection vulnerability (CWE-94) affecting Dyad, a local AI application builder, specifically versions prior to 0.20.0. The vulnerability resides in the application's preview window functionality, which processes web content. An attacker can craft malicious web content that executes automatically when loaded in the preview window. This malicious content can bypass Docker container protections, which are typically used to isolate and sandbox the application environment. By exploiting this flaw, an attacker can break out of the security boundaries established by Dyad and gain arbitrary code execution on the host system. This means the attacker can run any code with the privileges of the user running Dyad, potentially leading to full system compromise. The vulnerability requires at least limited privileges (PR:L) and user interaction (UI:R), as the user must load the malicious preview content. The CVSS 3.1 score is 9.1 (critical), reflecting the high impact on confidentiality, integrity, and availability, combined with network attack vector and low attack complexity. Although no known exploits are currently reported in the wild, the severity and nature of the vulnerability make it a significant threat, especially in environments where Dyad is used to build or test AI applications locally. The issue has been addressed in Dyad version 0.20.0 and later, so upgrading is essential to mitigate the risk.

For European organizations, this vulnerability poses a severe risk, particularly for companies involved in AI development, software prototyping, or any workflows that incorporate Dyad. Successful exploitation could lead to unauthorized access to sensitive data, intellectual property theft, or disruption of critical AI development processes. Since the vulnerability allows code execution outside of containerized environments, it undermines common security practices relying on container isolation. This could facilitate lateral movement within networks, data exfiltration, or deployment of ransomware or other malware. Organizations with development teams using Dyad on endpoints connected to corporate networks are at risk of initial compromise spreading internally. The critical severity and ease of exploitation through user interaction mean that phishing or social engineering could be leveraged to trick users into loading malicious previews. This elevates the threat to a broader range of organizations beyond just those with advanced security postures. The impact on confidentiality, integrity, and availability is high, potentially affecting regulatory compliance (e.g., GDPR) if personal or sensitive data is exposed or systems are disrupted.

1. Immediate upgrade to Dyad version 0.20.0 or later to apply the official patch that fixes the vulnerability. 2. Restrict usage of Dyad to trusted users and environments, especially avoiding loading untrusted or external preview content. 3. Implement endpoint protection solutions that monitor and block suspicious code execution behaviors, particularly those attempting to escape container boundaries. 4. Enforce strict network segmentation and least privilege principles for users running Dyad to limit potential lateral movement in case of compromise. 5. Educate users about the risks of loading unverified content in development tools and incorporate security awareness training focused on social engineering tactics. 6. Use application whitelisting and sandboxing technologies to further isolate Dyad processes and prevent unauthorized code execution. 7. Monitor logs and system behavior for indicators of compromise related to Dyad usage, such as unexpected process launches or network connections. 8. If Docker containers are used, review and harden container configurations to reduce the risk of breakout, including limiting container privileges and capabilities.