CVE-2025-65099
Claude Code vulnerable to command execution prior to startup trust dialog
In short
Claude Code could execute malicious code from a project before asking the user for permission, if the project used Yarn 3.0 or later. An attacker could trick a user into opening an untrusted project folder to run harmful commands.
Technical detail
Claude Code versions prior to 1.0.39 fail to validate startup trust before loading Yarn 3.0+ plugins, allowing arbitrary code execution through plugin mechanisms. The attack requires user interaction (opening a malicious project directory) and specific Yarn version presence; the vulnerability bypasses the trust dialog that should gate code execution.
Summary generated and translated by AI from the official description.
Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would have required a user to start Claude Code in an untrusted directory and to be using Yarn 3.0 or above. This issue has been patched in version 1.0.39.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
anthropics · claude-codeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →