CVE-2025-58766 Overview
A critical code injection vulnerability has been discovered in Dyad, a local AI app builder. This vulnerability affects Dyad v0.19.0 and earlier versions, allowing attackers to execute arbitrary code on users' systems. The vulnerability specifically targets the application's preview window functionality and can bypass Docker container protections that are intended to sandbox user-generated content.
An attacker can craft malicious web content that automatically executes when the preview loads. This malicious content can break out of the application's security boundaries and gain full control of the underlying system. The vulnerability has been classified under CWE-94 (Improper Control of Generation of Code / Code Injection).
Critical Impact
Attackers can achieve arbitrary code execution by exploiting the preview window functionality, bypassing Docker container protections and gaining full system control.
Affected Products
- Dyad v0.19.0 and earlier versions
- Dyad preview window functionality
- Systems running Dyad without Docker sandbox protection
Discovery Timeline
- 2025-09-17 - CVE-2025-58766 published to NVD
- 2025-09-18 - Last updated in NVD database
Technical Details for CVE-2025-58766
Vulnerability Analysis
The vulnerability resides in Dyad's preview iframe implementation, which lacked proper sandboxing restrictions. The preview window functionality, designed to render user-generated AI application previews, did not implement adequate security boundaries. This allowed crafted web content to escape the intended isolation and execute arbitrary code on the host system.
Additionally, the application's Markdown parser failed to properly filter <dyad-command> tags from generated text output, potentially allowing command injection through AI-generated content that users might unknowingly render in the application.
Root Cause
The root cause of this vulnerability is the absence of the sandbox attribute on the iframe element used for preview rendering in src/components/preview_panel/PreviewIframe.tsx. Without sandbox restrictions, the iframe content inherits full privileges from the parent application context, enabling code execution beyond the intended boundaries.
A secondary contributing factor was the incomplete tag filtering in the Markdown parser (src/components/chat/DyadMarkdownParser.tsx), which did not include dyad-command in the list of filtered custom tags.
Attack Vector
The attack is network-based and requires user interaction—specifically, a user must load malicious content into the preview window. An attacker could craft specially designed web content or AI prompts that, when rendered in the preview panel, execute arbitrary JavaScript with elevated privileges. Since the preview iframe lacked sandboxing, this JavaScript could interact with Node.js APIs exposed by the Electron framework, leading to full system compromise.
</div>
) : (
<iframe
+ sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-orientation-lock allow-pointer-lock allow-presentation allow-downloads"
data-testid="preview-iframe-element"
onLoad={() => {
setErrorMessage(undefined);
Source: GitHub Commit 1c0255a
The patch adds a comprehensive sandbox attribute to the iframe, restricting its capabilities while still allowing necessary functionality for legitimate preview operations.
"dyad-edit",
"dyad-codebase-context",
"think",
+ "dyad-command",
];
let processedContent = content;
Source: GitHub Commit ebcf89e
This secondary patch adds dyad-command to the filtered tags list, preventing command injection through the Markdown parser.
Detection Methods for CVE-2025-58766
Indicators of Compromise
- Unexpected process spawns originating from the Dyad application process
- Unusual network connections initiated by preview iframe contexts
- System command execution traces linked to Electron renderer processes
- Presence of <dyad-command> tags in rendered AI output logs
Detection Strategies
- Monitor for JavaScript execution attempting to access Node.js APIs from iframe contexts
- Implement endpoint detection rules for Electron applications spawning shell processes
- Analyze Dyad application logs for malformed or suspicious preview content
- Track file system modifications initiated by the Dyad process outside expected directories
Monitoring Recommendations
- Deploy application behavior monitoring on systems running Dyad
- Enable verbose logging for the Dyad application preview functionality
- Configure alerts for privilege escalation attempts from containerized or sandboxed contexts
- Monitor Docker container escape attempts if using containerized deployments
How to Mitigate CVE-2025-58766
Immediate Actions Required
- Upgrade Dyad to version v0.20.0 or later immediately
- Review any AI-generated content rendered prior to patching for suspicious <dyad-command> tags
- Audit systems running affected Dyad versions for signs of compromise
- Temporarily disable preview functionality if immediate upgrade is not possible
Patch Information
The vulnerability has been fully addressed in Dyad v0.20.0 and later versions. The fix implements proper iframe sandboxing with restricted permissions and adds filtering for dyad-command tags in the Markdown parser. Users should update to the latest version available from the official Dyad repository.
For detailed patch information, refer to the GitHub Security Advisory GHSA-7fxm-c5xx-7vpq.
Workarounds
- Avoid loading untrusted or externally-sourced content in the preview panel until upgraded
- Run Dyad in an isolated environment or virtual machine to limit potential impact
- Implement network segmentation to restrict outbound connections from systems running vulnerable versions
- Disable JavaScript execution in preview contexts if application configuration permits
# Verify Dyad version to confirm patched status
dyad --version
# Expected output: v0.20.0 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
