CVE-2025-65099 – CVE-2025-65099 is a critical code execution vul... (How to Fix)

Q: What is the severity of CVE-2025-65099?

CVE-2025-65099 has a CVSS score of 9.8 (CRITICAL). CVE-2025-65099 is a critical code execution vulnerability in Claude Code where Yarn plugins could execute malicious code before user consent. This affects users running Claude Code versions below 1.0.39 with Yarn 3.0+ in untrusted directories. Attackers could gain arbitrary code execution on the victim's system.

📋 TL;DR

CVE-2025-65099 is a critical code execution vulnerability in Claude Code where Yarn plugins could execute malicious code before user consent. This affects users running Claude Code versions below 1.0.39 with Yarn 3.0+ in untrusted directories. Attackers could gain arbitrary code execution on the victim's system.

💻 Affected Systems

Products:

Claude Code

Versions: All versions prior to 1.0.39

Operating Systems: All platforms where Claude Code runs

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Yarn 3.0 or higher installed on the system and user opening Claude Code in an untrusted directory.

📦 What is this software?

Claude Code by Anthropic

View all CVEs affecting Claude Code →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary code execution, allowing attackers to steal data, install malware, or pivot to other systems.

🟠

Likely Case

Local privilege escalation and data theft from the compromised user's environment and project files.

🟢

If Mitigated

No impact if users avoid untrusted directories or have patched to version 1.0.39+.

🌐 Internet-Facing: LOW - This requires local access or social engineering to trick users into opening untrusted projects.

🏢 Internal Only: MEDIUM - Internal developers could be targeted via malicious projects in shared repositories or collaboration tools.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires social engineering to get user to open untrusted project.

Exploitation requires user interaction (opening Claude Code in untrusted directory) and specific Yarn version.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.39

Vendor Advisory: https://github.com/anthropics/claude-code/security/advisories/GHSA-5hhx-v7f6-x7gv

Restart Required: Yes

Instructions:

1. Update Claude Code to version 1.0.39 or later via your package manager or download from official sources. 2. Restart Claude Code to apply the fix.

🔧 Temporary Workarounds

Avoid untrusted directories

all

Only run Claude Code in trusted project directories that you control.

Downgrade Yarn

all

Use Yarn version below 3.0 to avoid the plugin execution vulnerability.

npm install -g yarn@2.4.3

🧯 If You Can't Patch

Implement strict policies prohibiting Claude Code use in untrusted directories or with untrusted projects.
Use application allowlisting to restrict Claude Code execution to specific trusted directories only.

🔍 How to Verify

Check if Vulnerable:

Check Claude Code version (must be <1.0.39) and verify Yarn version (must be >=3.0).

Check Version:

claude-code --version

Verify Fix Applied:

Confirm Claude Code version is 1.0.39 or higher and test that Yarn plugins don't execute before trust dialog.

📡 Detection & Monitoring

Log Indicators:

Unexpected Yarn plugin execution before trust dialog
Claude Code process spawning from untrusted directories

Network Indicators:

Unusual outbound connections from Claude Code process to unknown domains

SIEM Query:

Process creation where parent_process contains 'claude-code' and command_line contains 'yarn' or 'plugin'

📊 Metadata

CVE ID: CVE-2025-65099

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.12% exploit probability (30.9th percentile)

Published: November 19, 2025

Last Updated: November 25, 2025

🔗 References

https://github.com/anthropics/claude-code/security/advisories/GHSA-5hhx-v7f6-x7gv Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65099, you might also want to check these: