CVE-2025-65099 is a code injection vulnerability classified under CWE-94 affecting anthropics' Claude Code, an agentic coding tool designed to assist with coding tasks. The flaw exists in versions prior to 1.0.39 when the software is run on machines with Yarn 3.0 or newer. Yarn plugins can contain executable code that Claude Code loads during startup. Due to improper control over code generation and execution, Claude Code could be tricked into executing malicious code embedded within a project's Yarn plugins before the user had a chance to accept the startup trust dialog. This means that if a user opens Claude Code in a directory containing malicious Yarn plugins, those plugins could execute code without explicit user consent. Exploitation requires user interaction—specifically, starting Claude Code in an untrusted directory—and does not require prior authentication or elevated privileges. The vulnerability impacts confidentiality, integrity, and availability by allowing arbitrary code execution, potentially leading to data theft, system compromise, or disruption of services. The issue has been addressed and patched in version 1.0.39 of Claude Code. No known exploits are currently reported in the wild, but the CVSS 4.0 score of 7.7 reflects the high risk posed by this vulnerability due to its network attack vector, low complexity, and high impact on all security properties.

For European organizations, this vulnerability poses a significant risk especially to software development teams and environments that utilize Claude Code alongside Yarn 3.0 or higher. Successful exploitation could lead to arbitrary code execution, enabling attackers to steal sensitive intellectual property, inject malicious code into development pipelines, or disrupt software development operations. This could result in compromised software integrity, leakage of proprietary code, and potential lateral movement within corporate networks. Organizations in sectors with high reliance on software development, such as finance, technology, and critical infrastructure, could face operational disruptions and reputational damage. The requirement for user interaction and running Claude Code in untrusted directories somewhat limits the attack surface but does not eliminate risk, particularly in environments where developers might open untrusted projects or repositories. The absence of known exploits in the wild provides a window for proactive patching and mitigation.

European organizations should immediately upgrade Claude Code to version 1.0.39 or later to remediate this vulnerability. Until patching is complete, developers should avoid opening Claude Code in untrusted or unknown project directories, especially those containing Yarn plugins. Implement strict policies and training to ensure developers verify the trustworthiness of code repositories before loading them in Claude Code. Employ endpoint protection solutions that can detect and block suspicious code execution originating from development tools. Network segmentation and least privilege principles should be enforced to limit the impact of any potential compromise. Additionally, organizations should monitor for unusual activity related to Claude Code processes and Yarn plugin executions. Incorporating software composition analysis tools to identify vulnerable versions of Claude Code in use can aid in rapid remediation. Finally, maintain up-to-date inventories of development tools and dependencies to ensure timely vulnerability management.