Claude Code
CVE-2025-65099
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would have required a user to start Claude Code in an untrusted directory and to be using Yarn 3.0 or above. This issue has been patched in version 1.0.39.
AnalysisAI
Claude Code is an agentic coding tool. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would have required a user to start Claude Code in an untrusted directory and to be using Yarn 3.0 or above. This issue has been patched in version 1.0.39. Affected products include: Anthropic Claude Code. Version information: version 1.0.39.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.
More in Claude Code
View allOS command injection in Anthropic Claude Code CLI and Agent SDK for Python allows remote, unauthenticated attackers to e
OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python allows local attackers to execute arbi
OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python enables arbitrary command execution vi
Claude Code prior to version 2.1.2 has a CVSS 10.0 sandbox escape in the bubblewrap sandboxing mechanism, allowing code
Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and shor
Claude Code prior to version 2.0.57 failed to properly validate MCP tool inputs, allowing malicious MCP servers to injec
Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the sta
Claude Code versions before 2.0.72 allow authenticated attackers to execute arbitrary commands by exploiting a command p
Sandbox escape and code execution in Anthropic's Claude Code CLI (versions 2.1.38 through 2.1.162) lets a malicious repo
Sandbox escape in Claude Code versions prior to 2.1.64 enables arbitrary file writes outside the workspace by exploiting
Claude Code is an agentic coding tool. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no au
Claude Code versions prior to 2.0.65 allow attackers to steal Anthropic API keys from users by crafting malicious reposi
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today