Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65099

CVE-2025-65099: Anthropic Claude Code RCE Vulnerability

CVE-2025-65099 is a remote code execution flaw in Anthropic Claude Code that allows malicious code execution via Yarn plugins before user trust approval. This article covers technical details, affected versions, and patches.

Published:

CVE-2025-65099 Overview

Claude Code is an agentic coding tool developed by Anthropic. Prior to version 1.0.39, a code injection vulnerability existed that could allow malicious code execution through Yarn plugins before the user accepted the startup trust dialog. This vulnerability specifically affects users running Claude Code on machines with Yarn 3.0 or above, where an attacker could craft a malicious project directory containing weaponized Yarn plugins.

Critical Impact

Attackers could achieve arbitrary code execution on affected systems by tricking users into starting Claude Code in a malicious project directory, bypassing the trust dialog security control entirely.

Affected Products

  • Anthropic Claude Code versions prior to 1.0.39
  • Systems running Yarn 3.0 or above
  • Claude Code for Node.js environments

Discovery Timeline

  • 2025-11-19 - CVE CVE-2025-65099 published to NVD
  • 2025-11-25 - Last updated in NVD database

Technical Details for CVE-2025-65099

Vulnerability Analysis

This vulnerability represents a Code Injection flaw (CWE-94) in Anthropic's Claude Code agentic coding tool. The core issue stems from the order of operations during Claude Code's initialization process. When a user launches Claude Code in a directory containing a malicious project, the application processes Yarn plugin configurations before presenting the user with the startup trust dialog.

This design flaw creates a critical security gap where code can be executed without explicit user consent. The trust dialog, which is intended to serve as a security gate for untrusted directories, becomes ineffective because the malicious Yarn plugins have already been loaded and executed by the time the dialog appears.

The vulnerability requires user interaction to exploit—specifically, a user must start Claude Code in an untrusted directory. However, in real-world scenarios, developers frequently navigate to and open projects from various sources including cloned repositories, downloaded archives, or shared project directories.

Root Cause

The root cause of this vulnerability is improper initialization sequencing in Claude Code's startup process. The application integrates with Yarn's plugin system without adequately considering the security implications of loading and executing Yarn plugins before obtaining user trust confirmation.

Yarn 3.0 introduced a powerful plugin architecture that allows plugins to hook into various Yarn operations. These plugins are defined in the .yarnrc.yml configuration file and can contain or reference arbitrary JavaScript code. Claude Code's failure to defer Yarn plugin processing until after the trust dialog is accepted creates the exploitable condition.

Attack Vector

The attack vector for this vulnerability is network-based, requiring social engineering to convince a victim to open a malicious project directory. An attacker would need to:

  1. Create a malicious project containing a crafted .yarnrc.yml file
  2. Include a weaponized Yarn plugin with malicious JavaScript code
  3. Distribute the project to potential victims (via repository hosting, email, or other means)
  4. Wait for the victim to start Claude Code in that directory

The malicious Yarn plugin executes automatically during Claude Code's initialization, potentially allowing the attacker to gain code execution on the victim's machine, exfiltrate sensitive data, or establish persistence before the user has any opportunity to review and reject the untrusted project.

Detection Methods for CVE-2025-65099

Indicators of Compromise

  • Presence of unexpected or modified .yarnrc.yml files in project directories
  • Suspicious Yarn plugin entries pointing to local or remote malicious code
  • Unusual process spawning or network connections during Claude Code startup
  • Evidence of code execution before trust dialog acceptance in application logs

Detection Strategies

  • Monitor for creation or modification of .yarnrc.yml files containing plugin configurations in untrusted directories
  • Implement file integrity monitoring for Yarn configuration files in development environments
  • Use endpoint detection to identify suspicious JavaScript execution patterns during Claude Code initialization
  • Review Claude Code logs for evidence of plugin execution before user interaction

Monitoring Recommendations

  • Enable verbose logging in Claude Code to track initialization sequences
  • Configure EDR solutions to monitor for process creation during Claude Code startup
  • Implement alerting for Yarn plugin configuration changes in shared development environments
  • Review and audit .yarnrc.yml files when opening projects from external sources

How to Mitigate CVE-2025-65099

Immediate Actions Required

  • Upgrade Claude Code to version 1.0.39 or later immediately
  • Audit existing projects for suspicious .yarnrc.yml configurations
  • Review and validate Yarn plugins in all development environments
  • Educate developers about the risks of opening untrusted project directories

Patch Information

Anthropic has addressed this vulnerability in Claude Code version 1.0.39. The patch ensures that Yarn plugins are not loaded and executed until after the user has reviewed and accepted the startup trust dialog. Users should upgrade to the latest version through their standard update channels.

For detailed information about the security fix, refer to the GitHub Security Advisory.

Workarounds

  • Avoid starting Claude Code in untrusted or unfamiliar project directories until the upgrade is applied
  • Manually inspect .yarnrc.yml files for suspicious plugin configurations before opening projects
  • Consider temporarily downgrading to Yarn 2.x or below if immediate patching is not possible
  • Use isolated development environments or containers when working with untrusted code
bash
# Verify your Claude Code version and upgrade if necessary
# Check current version
claude --version

# Upgrade to patched version 1.0.39 or later
npm update -g @anthropic/claude-code

# Inspect Yarn configuration in project directories before opening
cat .yarnrc.yml | grep -i plugin

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne