CVE-2025-59828
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-24

Last updated on: 2025-11-26

Assigner: GitHub, Inc.

Description
Claude Code is an agentic coding tool. Prior to Claude Code version 1.0.39, when using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins would be executed prior to the user accepting the risks of working in an untrusted directory. Users running Yarn Classic were unaffected by this issue. This issue has been fixed in version 1.0.39. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-24
Last Modified
2025-11-26
Generated
2026-06-16
AI Q&A
2025-09-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59828
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
anthropic claude_code to 1.0.39 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in Claude Code versions prior to 1.0.39 when used with Yarn versions 2.0 or higher. Yarn plugins are automatically executed when running 'yarn --version', which causes the plugins to run before the user has accepted the risks of working in an untrusted directory. This behavior allows a bypass of the directory trust dialog in Claude Code, potentially executing untrusted code without user consent. Users running Yarn Classic are not affected. The issue has been fixed in Claude Code version 1.0.39.

Impact Analysis

This vulnerability can lead to the execution of untrusted Yarn plugins before the user has accepted the risks of working in an untrusted directory. This could allow malicious code to run without user consent, potentially compromising the security of the user's environment or data. It increases the risk of unauthorized code execution and related security impacts.

Mitigation Strategies

Update Claude Code to version 1.0.39 or later. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates should update to the latest version to mitigate the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59828. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart