Overview
CVE-2025-65099 identifies a potential security vulnerability in Claude Code, an agentic coding tool. Specifically, prior to version 1.0.39, Claude Code could be tricked into executing malicious code embedded within a project’s Yarn plugins before a user even accepted the startup trust dialog. This could occur only when Claude Code was run in an untrusted directory and when the user was utilizing Yarn version 3.0 or higher. A patch has been released in version 1.0.39 to address this issue.
Technical Details
The vulnerability stems from the way Claude Code interacts with Yarn, a package manager for JavaScript. Yarn’s plugin system allows extending Yarn’s functionality with custom code. Prior to version 1.0.39, Claude Code didn’t adequately sanitize or validate the Yarn plugins loaded from a project directory. This created an opportunity for an attacker to craft a malicious project with a specially crafted Yarn plugin. If a user opened this project directory in Claude Code, the malicious plugin could potentially execute arbitrary code before the user confirmed the initial trust dialog, thus bypassing expected security checks.
The primary prerequisite for exploitation was the use of Yarn version 3.0 or higher, as this version introduced the relevant plugin capabilities which allowed the attack.
CVSS Analysis
Currently, a CVSS score is not available for CVE-2025-65099. However, based on the description, the potential impact could be significant. The vulnerability allows for arbitrary code execution, which could lead to data theft, system compromise, or other malicious activities. Awaiting official CVSS scoring is recommended for a comprehensive risk assessment.
Possible Impact
Successful exploitation of CVE-2025-65099 could have the following impacts:
- Arbitrary Code Execution: An attacker could execute arbitrary code on the user’s machine, gaining control over the system.
- Data Theft: Sensitive data stored on the system could be compromised and exfiltrated.
- System Compromise: The attacker could install malware, create backdoor accounts, or perform other malicious actions to compromise the entire system.
- Supply Chain Attacks: If a developer’s environment is compromised, malicious code could be injected into the software development process, potentially affecting a larger user base.
Mitigation and Patch Steps
The recommended mitigation is to update Claude Code to version 1.0.39 or later. This version includes a patch that addresses the vulnerability by improving the handling and validation of Yarn plugins.
- Update Claude Code: Download and install the latest version (1.0.39 or later) of Claude Code from the official source.
- Verify Installation: After updating, verify that the correct version is installed.
- Exercise Caution: Avoid opening projects from untrusted sources in Claude Code, even after applying the patch.
