Our latest updates on Security

Welcome to our Dia Security Bulletin. Here you’ll find the most up to date information on recent security fixes. We get into the weeds a little here, if you have any questions you can always find us on [email protected].

November 20, 2025

CVE-2025-13132: Increased Spoof Risk; Missing full screen toast

  • Summary: Increased Spoof Risk in affected MacOS versions of Dia
  • CVE ID: CVE-2025-13132
  • Advisory Release Date: Fri, Nov 21, 2025
  • Affected Versions: Dia versions <1.6
  • Severity: High

Details

This vulnerability allowed a site to enter fullscreen without a full-screen notification (toast) appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site renders a fake UI (like a fake address bar.)

In Dia versions ≥1.6, the fullscreen notification (toast) is now enabled in all scenarios, informing users in a transition to fullscreen and making spoof attempts visible.

Severity

The Browser Company rates this issue High with a CVSS v3.1 base score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N). This reflects our internal assessment—please evaluate applicability within your environment.

Affected Versions

Dia on MacOS versions <1.6

What do I need to do?

Update Dia to the latest available version. Any version 1.6 or newer contains the fix.

Credit

The Browser Company thanks @frozzipies for reporting this issue through our vulnerability rewards program.

October 15, 2025

Introducing Dia’s Security Bulletin

Hi there, Cory here! I’m the Head of Security at The Browser Company. With the general availability of Dia being announced, the security team is introducing Dia’s Security Bulletin page.

Security has been at the core of how we built Dia. Being an AI Browser introduces novel security considerations—from prompt injection and model supply chain risks to client hardening and safe integrations. We’re committed to transparent, actionable communication when there’s something users or admins need to do.

This page will host:

  • Advisories: Clear guidance on vulnerabilities affecting Dia and steps to remediate.
  • CVE Notices: Disclosures aligned with our CNA policy and assignment process.
  • Security-impacting Release Notes: Highlights of patches, mitigations, and hardening work.
  • Enterprise Updates: Admin controls, policy changes, and audit-related information.

Publishing cadence will be event-driven: when there’s user- or admin-action to take, you’ll see it here first, with severity, affected versions, and fix paths.

If you believe you’ve found a security issue, please report it through our bug bounty program or responsible disclosure channels listed on the Dia Security Center. Thank you for helping us keep users safe.