On a Sunday evening during the summer, we discovered a high-severity vulnerability in Anthropic’s Claude Code CLI tool. This flaw, assigned CVE-2025-59828/CVE-2025-65099, allowed attackers, who can trick a victim to start Claude Code prior to version 1.0.39 within an untrusted directory, to gain arbitrary code execution. Exploitation would have required any version of the Yarn package manager to be installed on the target machine. User interaction, such as acceptance of the startup trust dialog, was not necessary. This issue has been assigned a CVSS v4.0 score of 7.7 (High) and was addressed in version 1.0.39.

Vulnerability Details

The vulnerability exists in how Claude Code initializes and inspects the local environment. When the claude command is executed, the tool attempts to identify installed tools and versions, including executing yarn --version.

This execution occurs before the application prompts the user to trust the current directory. Yarn allows for configuration via .yarnrc.yml files, which can define specific execution paths (yarnPath) or plugins that execute code upon invocation. Consequently, if a user runs Claude Code in a directory containing a malicious configuration, the code executes without the need for further confirmation or user interaction.

• Vulnerability Type: Arbitrary Code Execution
• Attack Vector: Local execution in an untrusted directory
• Execution Context: User’s local shell/filesystem
• Affected Product: Claude Code versions prior to 1.0.39
• CVSS Score: 7.7 (High - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
• CVE: CVE-2025-59828, CVE-2025-65099

It should be noted that at the time of writing, the information given in the CVEs and GitHub advisories may not be fully accurate regarding the affected Yarn versions. This is due to Anthropic publishing two advisories and CVEs for the same flaw. Based on our tests, this attack is successful on all Yarn versions using the yarnPath technique, and starting from version 2.0.0-rc.23 for the plugin technique.

Further information and technical details can be found in a separately published article by the researchers.

Proof of Concept (PoC)

A full PoC has been published on GitHub, demonstrating both attack techniques in more detail.

For instance, when using the yarnPath technique, attackers can create two files in a directory. First, a .yarnrc.yml configuration file that points the yarnPath to a malicious script:

1
yarnPath: "./script.js"

Second, a malicious script.js file:

1
2
const { execSync } = require('child_process');
execSync('echo "Pwned!" | tee proof.txt', { stdio: 'inherit' });

When a victim navigates to this directory and starts Claude Code using the claude command, the script.js file is executed immediately through yarn --version. This results in the creation of proof.txt (or any other arbitrary command execution) before the trust dialog appears or is accepted.

Impact

This vulnerability poses a significant threat to developers using Claude Code. If a victim can be tricked into running the tool inside a repository or folder containing malicious Yarn configuration files, the attackers achieve arbitrary code execution with the privileges of the current user. Because the execution happens silently in the background before the trust prompt is confirmed, the user has no opportunity to prevent the attack once Claude Code is started. This could lead to data theft, installation of malware, or full system compromise.

Mitigation Recommendations

The vendor has patched this issue in Claude Code version 1.0.39. It is recommended that all users upgrade to the latest version of Claude Code. For additional defense-in-depth measures, Redguard recommends the following practices to reduce the impact of this and similar vulnerabilities:

• Risk Minimization: If possible, never execute development tools or CLI agents in untrusted directories or repositories, as many tools implicitly trust the local configuration. If processing of untrusted data is required, strong sandboxing and isolation is recommended to contain the impact in case of compromise.
• Threat Model Awareness: It is advised to consider the specific threat model applied to applications such as package managers. If the threat model regards operating on untrusted information as unsafe, perform risk minimization, at a minimum.

Credits

• Benjamin Faller, Redguard AG
• Michael Hess

Disclosure Timeline

The following timeline details the steps taken in the coordinated vulnerability disclosure process:

• 2025-06-29: Identified vulnerability
• 2025-06-30: Reported vulnerability through Anthropic’s VDP on HackerOne
• 2025-07-09: Anthropic set the vulnerability report to resolved, announced a bounty, and recommended reporting our findings to Yarn.
• 2025-07-09: First attempt to contact Yarn steward through Discord
• 2025-07-10: First inquiry whether a CVE will be published by Anthropic
• 2025-07-18: Anthropic informed that they work on publishing a CVE
• 2025-07-24 to 2025-07-26: Initiated a Coordinated Vulnerability Disclosure with Yarn via private email and provided technical details after their initial response. It was explained that this is not considered a vulnerability per the current threat model, but the Yarn steward agreed to submit a PR clarifying this in the official documentation.
• 2025-07-31: After internal discussion, we decided to not continue the disclosure with Yarn due to the threat model and asked for a link to include in this article, which was unfortunately left unanswered.
• 2025-09-24: Anthropic published a CVE and GitHub advisory (this went unnoticed by us and was not communicated through HackerOne)
• 2025-11-14: Second inquiry about the publication of a CVE and information about our plans to publish an article
• 2025-11-14: Anthropic informed that they work on getting the CVE published and asked for a draft article to review
• 2025-11-19: Anthropic published a second CVE and GitHub advisory
• 2025-12-08: Draft article sent to Anthropic for review
• 2025-12-18: After inquiry about the review, Anthropic updated the initially published GitHub advisory with the information from the draft article. We thus noticed that two advisories/CVEs were published.
• 2025-12-19: Publication of this article and informed Anthropic that multiple CVEs/advisories were published

Disclaimer

This advisory is not an exhaustive list of all potential security issues for the mentioned software. Other vulnerabilities may exist. The information provided is believed to be accurate at the time of publishing. Use of this information is at your own risk. Neither the author nor the publisher accepts any liability for any loss or damage arising from the use of, or reliance on, this information.