CVE-2025-65099
Published: 19 November 2025
Summary
CVE-2025-65099 is a critical-severity Code Injection (CWE-94) vulnerability in Anthropic Claude Code. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely patching of Claude Code to version 1.0.39 directly eliminates the vulnerability allowing yarn plugin code execution before the trust dialog.
Malicious code protection mechanisms block or quarantine arbitrary code in yarn plugins from untrusted projects upon execution attempt.
Integrity verification of software and project components detects unauthorized modifications or execution of malicious yarn plugins.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary code execution via malicious Yarn plugins/config in an untrusted directory before the startup trust dialog, exploiting the client application (T1203) and bypassing the directory trust defense (T1211).
NVD Description
Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user…
more
accepted the startup trust dialog. Exploiting this would have required a user to start Claude Code in an untrusted directory and to be using Yarn 3.0 or above. This issue has been patched in version 1.0.39.
Deeper analysisAI
CVE-2025-65099 is a code injection vulnerability (CWE-94) affecting Claude Code, an agentic coding tool from Anthropic, in versions prior to 1.0.39. The issue arises when Claude Code runs on a machine with Yarn 3.0 or above, allowing the tool to be tricked into executing arbitrary code contained in a project through yarn plugins before the user accepts the startup trust dialog. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with potential for high-impact confidentiality, integrity, and availability compromises.
Exploitation requires a user to initiate Claude Code in an untrusted directory while using Yarn 3.0 or higher, enabling an attacker with control over that project—such as through a malicious repository—to trigger code execution automatically upon startup, bypassing the trust dialog. No special privileges or additional user interaction beyond starting the tool in the compromised environment are needed, making it feasible for remote attackers distributing tainted projects.
The GitHub security advisory (GHSA-5hhx-v7f6-x7gv) confirms the issue has been addressed in Claude Code version 1.0.39, recommending users upgrade immediately to mitigate the risk. Practitioners should verify Yarn versions and audit directories before launching the tool in potentially untrusted contexts.
Details
- CWE(s)