Directory Trust Bypass in Claude Code Affected by Yarn Integration
CVE-2025-59828

7.7HIGH

Key Information:

Vendor: Anthropics
Status: Claude-code
Vendor: CVE Published:; 24 September 2025

What is CVE-2025-59828?

Claude Code, an advanced coding tool, has a vulnerability that allows Yarn plugins to be auto-executed when checking the Yarn version, prior to user consent on working in untrusted directories. This issue affects versions before 1.0.39 and poses significant security risks. Users running Yarn Classic remain unaffected. The vulnerability has been addressed and users are encouraged to update to the latest version to ensure their security.

Affected Version(s)

claude-code < 1.0.39

References

https://github.com/anthropics/claude-code/security/adviso...

x_refsource_CONFIRM

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 24, 2025
Vulnerability Reserved
Sep 22, 2025

JSON

Anthropics

What is CVE-2025-59828?

Affected Version(s)

References

CVSS V4

Timeline