PT-2025-39338 · Npm+1 · Yarn+1
Published
2025-09-24
·
Updated
2025-09-28
·
CVE-2025-59828
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Claude Code versions prior to 1.0.39
Description
Claude Code is an agentic coding tool. When used with Yarn versions 2.0 and higher, Yarn plugins are automatically executed when running
yarn --version in versions prior to 1.0.39. This could bypass the directory trust dialog within Claude Code, as plugins execute before the user acknowledges the risks associated with working in an untrusted directory. Users utilizing Yarn Classic were not impacted by this issue. The auto-execution of Yarn plugins occurs via the yarn --version command.Recommendations
Update to Claude Code version 1.0.39 or later.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Claude-Code
Yarn