CVE-2025-65099

CVE-2025-65099 is a code injection vulnerability (CWE-94) affecting Claude Code, an agentic coding tool from Anthropic, in versions prior to 1.0.39. The issue arises when Claude Code runs on a machine with Yarn 3.0 or above, allowing the tool to be tricked into executing arbitrary code contained in a project through yarn plugins before the user accepts the startup trust dialog. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with potential for high-impact confidentiality, integrity, and availability compromises.

Exploitation requires a user to initiate Claude Code in an untrusted directory while using Yarn 3.0 or higher, enabling an attacker with control over that project—such as through a malicious repository—to trigger code execution automatically upon startup, bypassing the trust dialog. No special privileges or additional user interaction beyond starting the tool in the compromised environment are needed, making it feasible for remote attackers distributing tainted projects.

The GitHub security advisory (GHSA-5hhx-v7f6-x7gv) confirms the issue has been addressed in Claude Code version 1.0.39, recommending users upgrade immediately to mitigate the risk. Practitioners should verify Yarn versions and audit directories before launching the tool in potentially untrusted contexts.