Dyad Remote Code Execution Vulnerability in Preview Window

A critical remote code execution vulnerability has been identified in Dyad, an AI application builder, affecting versions through 0.19.0. The issue arises in the application's preview window, where attackers can inject malicious web content that executes automatically when the preview is loaded. This vulnerability bypasses Docker container protections, allowing the malicious content to escape the application's security boundaries and execute arbitrary code on the user's system. The vulnerability can be exploited by distributing compromised templates through Dyad's community templates or by embedding malicious content in external sources that users might reference.

Impact

Exploitation of this vulnerability allows for remote code execution on the user's system, with the added risk of bypassing Docker container protections and affecting the host system.

Reproduction

To reproduce this vulnerability, preview a web application in Dyad that contains untrusted content, such as imported community templates or references to external sources. The malicious content will execute automatically in the preview window, demonstrating the remote code execution capability of the vulnerability.

Remediation

Users are advised to upgrade to Dyad version 0.20.0 or later, where this vulnerability has been fixed.