CVE-2025-59828 Overview
CVE-2025-59828 is a high-severity vulnerability affecting Anthropic Claude Code, an agentic coding tool. Prior to version 1.0.39, when using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed when running yarn --version. This behavior could lead to a bypass of the directory trust dialog in Claude Code, as plugins would be executed prior to the user accepting the risks of working in an untrusted directory.
Critical Impact
Malicious Yarn plugins can execute arbitrary code before users have a chance to review and accept the security risks of an untrusted directory, potentially leading to unauthorized code execution on the user's system.
Affected Products
- Anthropic Claude Code versions prior to 1.0.39
- Claude Code installations using Yarn 2.0+ (Berry)
- Node.js environments running vulnerable Claude Code versions
Discovery Timeline
- 2025-09-24 - CVE CVE-2025-59828 published to NVD
- 2025-11-26 - Last updated in NVD database
Technical Details for CVE-2025-59828
Vulnerability Analysis
This vulnerability falls under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). The core issue stems from the interaction between Claude Code's trust model and Yarn Berry's plugin system. When Claude Code performs package management operations, it may invoke Yarn commands that trigger automatic plugin execution before the user has explicitly trusted the working directory.
The security boundary that Claude Code establishes through its directory trust dialog is effectively bypassed because Yarn Berry plugins execute during routine version checks and other Yarn operations. This creates a window where potentially malicious code embedded in Yarn plugins can run with the user's privileges without explicit consent.
Users running Yarn Classic (version 1.x) are unaffected by this vulnerability, as the plugin auto-execution behavior is specific to Yarn 2.0 and later versions (Yarn Berry).
Root Cause
The root cause is the order of operations in Claude Code's initialization sequence when working with Yarn Berry projects. The application did not account for Yarn 2.0+'s plugin architecture, which auto-executes plugins during common Yarn operations. This means that simply checking the Yarn version or performing preliminary package management checks could trigger plugin code execution before the directory trust evaluation was complete.
Attack Vector
The attack requires a network-accessible malicious repository or project that an attacker crafts with a malicious Yarn plugin configuration. When a user opens this project in Claude Code:
- Claude Code attempts to gather project information, including checking Yarn version
- Yarn 2.0+ automatically executes any configured plugins during this check
- The malicious plugin code runs before the user sees or accepts the trust dialog
- The attacker achieves code execution in the context of the user's session
The attack requires user interaction in the form of opening an untrusted project, but the trust bypass means users cannot make an informed decision before potentially malicious code executes.
Detection Methods for CVE-2025-59828
Indicators of Compromise
- Unexpected Yarn plugin files in project .yarn/plugins/ directories
- Modified .yarnrc.yml files with suspicious plugin configurations
- Unusual process spawning from Yarn or Claude Code processes
- Network connections initiated during project initialization before trust acceptance
Detection Strategies
- Monitor for unexpected plugin entries in .yarnrc.yml files within project directories
- Implement file integrity monitoring on Yarn configuration files
- Review process trees for unusual child processes spawned during Claude Code initialization
- Alert on Yarn plugin execution in directories that have not been explicitly trusted
Monitoring Recommendations
- Enable verbose logging for Claude Code operations to track initialization sequences
- Monitor system calls and file access patterns during project opening operations
- Implement endpoint detection rules for suspicious Yarn plugin behavior
- Review audit logs for Claude Code process activity in newly accessed directories
How to Mitigate CVE-2025-59828
Immediate Actions Required
- Update Claude Code to version 1.0.39 or later immediately
- Review any recently opened projects for suspicious Yarn plugin configurations
- Audit .yarnrc.yml and .yarn/plugins/ directories in projects for unexpected content
- Consider temporarily using Yarn Classic for untrusted projects until update is applied
Patch Information
This vulnerability has been fixed in Claude Code version 1.0.39. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates should update to the latest version immediately.
For more information, refer to the GitHub Security Advisory.
Workarounds
- Manually inspect .yarnrc.yml files in project directories before opening them in Claude Code
- Remove or disable Yarn plugins from untrusted projects before opening
- Use Yarn Classic (version 1.x) for untrusted projects as a temporary mitigation
- Implement directory-level restrictions to prevent plugin auto-execution
# Check for Yarn plugins in a project before opening
cat .yarnrc.yml | grep -i "plugins"
ls -la .yarn/plugins/ 2>/dev/null
# Temporarily switch to Yarn Classic for untrusted projects
corepack prepare yarn@1.22.22 --activate
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
