CVE-2025-58766
Dyad · Dyad
A critical arbitrary code execution vulnerability exists in Dyad versions 0.19.0 and earlier due to insufficient security controls.
Executive summary
A critical vulnerability in the Dyad AI app builder allows unauthenticated attackers to execute arbitrary code on the host system, posing a severe risk of total system compromise.
Vulnerability
The application fails to properly sanitize inputs or validate operations, allowing an unauthenticated attacker to trigger arbitrary code execution on the underlying system.
Business impact
The ability for an attacker to execute arbitrary code grants them full control over the affected workstation or server. Given the CVSS score of 9.0, this vulnerability carries a critical severity, potentially leading to complete data exfiltration, installation of malware, or the lateral movement of threats into the broader corporate network.
Remediation
Immediate Action: Upgrade to the latest version of Dyad immediately to ensure the patch for arbitrary code execution is applied.
Proactive Monitoring: Review system logs for unauthorized process execution and monitor for unexpected network connections originating from the Dyad application process.
Compensating Controls: Deploy endpoint detection and response (EDR) solutions to identify and block suspicious child processes spawned by the application.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability represents a high-risk entry point for attackers to gain persistent access to your environment. Administrators should prioritize updating all instances of Dyad to a patched version as soon as it becomes available to mitigate the risk of remote code execution.