CVE-2025-65099 is a code injection vulnerability categorized under CWE-94, affecting anthropics' Claude Code, an agentic coding tool designed to assist developers. The vulnerability exists in versions prior to 1.0.39 when Claude Code is executed on systems with Yarn 3.0 or later. Yarn plugins can contain executable code that Claude Code processes before the user has accepted the startup trust dialog, which is intended as a security measure to prevent execution of untrusted code. If a user launches Claude Code in an untrusted directory containing malicious Yarn plugins, the tool can be tricked into executing arbitrary code embedded in those plugins. This execution occurs without prior user consent, potentially allowing attackers to compromise the host system. The attack vector requires the user to start Claude Code in a malicious project directory and interact with the startup process, but no authentication is needed. The vulnerability impacts confidentiality, integrity, and availability by enabling arbitrary code execution, which could lead to data theft, system compromise, or denial of service. The issue has been addressed and patched in version 1.0.39 of Claude Code. No public exploits have been reported to date, but the vulnerability's characteristics warrant prompt remediation. The CVSS 4.0 score of 7.7 reflects the network attack vector, low attack complexity, required user interaction, and high impact on all security properties.

For European organizations, this vulnerability poses a significant risk especially to software development teams and environments that utilize Claude Code in conjunction with Yarn 3.0 or higher. Successful exploitation could lead to unauthorized code execution, resulting in potential data breaches, intellectual property theft, or disruption of development workflows. The integrity of codebases could be compromised, undermining trust in software supply chains. Additionally, availability could be affected if attackers deploy destructive payloads or ransomware. Organizations with remote or distributed development environments are particularly vulnerable, as attackers could lure developers into opening malicious project directories. The risk is heightened in sectors with high reliance on software development tools, such as finance, telecommunications, and technology firms prevalent across Europe. Although no known exploits are currently active in the wild, the ease of exploitation through user interaction and the widespread use of Yarn in modern JavaScript development increase the likelihood of targeted attacks if unpatched.

European organizations should immediately upgrade anthropics Claude Code to version 1.0.39 or later to eliminate this vulnerability. Until upgrading is complete, developers must avoid launching Claude Code in untrusted or unknown project directories, especially those containing Yarn plugins. Implement strict access controls and monitoring on development environments to detect unusual execution patterns or unauthorized code execution. Educate developers about the risks of opening untrusted projects and the importance of verifying the source of Yarn plugins. Employ endpoint detection and response (EDR) solutions capable of identifying suspicious process behaviors related to code injection. Integrate software composition analysis tools to monitor dependencies and plugins for malicious content. Additionally, consider sandboxing development environments or using virtual machines to isolate potentially risky operations. Regularly review and update security policies governing development tools and workflows to incorporate lessons learned from this vulnerability.