CVE-2025-65099

CRITICAL

Claude Code < 1.0.39 - Unauthenticated Code Execution via Yarn Plugin

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-65099. PoCs published by b-faller.

AI-analyzed exploit summary This PoC demonstrates two techniques exploiting CVE-2025-65099 in @anthropic-ai/[email protected] via Yarn path manipulation and plugin interception to achieve arbitrary command execution. The exploit creates a proof.txt file to confirm successful execution.

Description

Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would have required a user to start Claude Code in an untrusted directory and to be using Yarn 3.0 or above. This issue has been patched in version 1.0.39.

Exploits (1)

nomisec WORKING POC
by b-faller · poc
https://github.com/b-faller/cve-2025-65099

This PoC demonstrates two techniques exploiting CVE-2025-65099 in @anthropic-ai/[email protected] via Yarn path manipulation and plugin interception to achieve arbitrary command execution. The exploit creates a proof.txt file to confirm successful execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: @anthropic-ai/[email protected]
No auth needed
Prerequisites: Docker environment · npm/yarn installed · @anthropic-ai/[email protected] installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.0014
EPSS Percentile 34.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (2)
anthropic/claude_code < 1.0.39
anthropic-ai/claude-code 0 - 1.0.39npm
Published Nov 19, 2025
Tracked Since Feb 18, 2026