CVE-2025-59828

Claude Code is an agentic coding tool. Prior to Claude Code version 1.0.39, when using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins would be executed prior to the user accepting the risks of working in an untrusted directory. Users running Yarn Classic were unaffected by this issue. This issue has been fixed in version 1.0.39. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/anthropics/claude-code/security/advisories/GHSA-2jjv-qf24-vfm4	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*

History

26 Nov 2025, 17:01

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Anthropic Anthropic claude Code
Summary		(es) Claude Code es una herramienta de codificación agéntica. Antes de la versión 1.0.39 de Claude Code, al usar Claude Code con versiones 2.0+ de Yarn, los plugins de Yarn se auto-ejecutan al ejecutar yarn --version. Esto podría llevar a una omisión del diálogo de confianza de directorio en Claude Code, ya que los plugins se ejecutarían antes de que el usuario aceptara los riesgos de trabajar en un directorio no confiable. Los usuarios que ejecutaban Yarn Classic no se vieron afectados por este problema. Este problema ha sido corregido en la versión 1.0.39. Los usuarios con la actualización automática estándar de Claude Code habrán recibido esta corrección automáticamente. A los usuarios que realizan actualizaciones manuales se les aconseja actualizar a la última versión.
CPE		cpe:2.3:a:anthropic:claude_code::::::node.js::*
References	~~() https://github.com/anthropics/claude-code/security/advisories/GHSA-2jjv-qf24-vfm4 -~~	() https://github.com/anthropics/claude-code/security/advisories/GHSA-2jjv-qf24-vfm4 - Third Party Advisory

Information

Published : 2025-09-24 20:15

Updated : 2025-11-26 17:01

NVD link : CVE-2025-59828

Mitre link : CVE-2025-59828

CVE.ORG link : CVE-2025-59828

JSON object : View

Products Affected

anthropic

claude_code

CWE

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

CWE-862

Missing Authorization

9.8 /10