CVE-2025-59828 is a high-severity vulnerability affecting anthropics' Claude Code, an agentic coding tool, specifically versions prior to 1.0.39. The vulnerability arises when Claude Code is used in conjunction with Yarn package manager versions 2.0 and above. In these affected versions, Yarn plugins are automatically executed during the command 'yarn --version' without requiring explicit user consent or trust confirmation. This behavior effectively bypasses Claude Code's directory trust dialog, which is designed to prevent execution of potentially malicious code in untrusted directories. The core issue is that plugins from untrusted sources can be executed before the user has accepted the risks of working in such directories, leading to an inclusion of functionality from an untrusted control sphere (CWE-829). This can result in unauthorized code execution or other malicious actions within the user's environment. Notably, users running Yarn Classic (version 1.x) are not affected by this vulnerability. The vulnerability requires user interaction (running 'yarn --version') but does not require prior authentication or elevated privileges, and it can be exploited remotely if an attacker can influence the directory context or plugin sources. The issue was addressed in Claude Code version 1.0.39, which prevents auto-execution of Yarn plugins prior to user trust confirmation. Users relying on automatic updates should have received this fix, but manual updaters must upgrade to the latest version to mitigate the risk. The CVSS 4.0 base score is 7.7, reflecting high severity due to network attack vector, low attack complexity, no privileges required, partial user interaction, and high impact on confidentiality, integrity, and availability.

For European organizations, this vulnerability poses a significant risk especially in software development environments where Claude Code and Yarn 2.x+ are used. The bypass of the directory trust dialog can allow attackers to execute malicious plugins or code, potentially leading to unauthorized access, data leakage, or disruption of development workflows. This could compromise intellectual property, introduce backdoors into software projects, or cause supply chain contamination. Given the prevalence of JavaScript and Node.js ecosystems in European tech sectors, and the increasing adoption of agentic coding tools, the vulnerability could affect a broad range of companies from startups to large enterprises. The impact is heightened in regulated industries such as finance, healthcare, and critical infrastructure, where code integrity and supply chain security are paramount. Furthermore, the ease of exploitation without requiring authentication or elevated privileges increases the threat surface. Although no known exploits are reported in the wild yet, the vulnerability's characteristics make it a likely target for attackers aiming to compromise development environments or inject malicious code into software supply chains.

European organizations should immediately verify the version of Claude Code in use and ensure it is updated to version 1.0.39 or later. For environments where automatic updates are disabled or manual updates are performed, a prompt update is critical. Additionally, organizations should implement strict controls on the use of Yarn plugins, including auditing and restricting plugin sources to trusted registries. Development environments should enforce policies that require explicit user confirmation before executing code or plugins from untrusted directories. Employing runtime monitoring to detect anomalous plugin executions or unexpected network activity originating from development tools can provide early detection of exploitation attempts. Integrating supply chain security tools that scan for malicious or unauthorized plugins in the Node.js ecosystem can further reduce risk. Training developers to recognize the risks of untrusted directories and plugins and to follow secure development practices is also essential. Finally, organizations should consider isolating development environments or using containerization to limit the impact of potential exploitation.