Vulnerability Database

315,050

Total vulnerabilities in the database

CVE-2025-65099

Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would have required a user to start Claude Code in an untrusted directory and to be using Yarn 3.0 or above. This issue has been patched in version 1.0.39.

Published: Nov 19, 2025
Updated: Dec 29, 2025
CVE: CVE-2025-65099
GHSA: GHSA-5hhx-v7f6-x7gv
Severity: High
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-94

Affected Software
References

Software	From	Fixed in
@anthropic-ai / claude-code	-	1.0.39
anthropic / claude_code	-	1.0.39

https://github.com/anthropics/claude-code/security/advisories/GHSA-5hhx-v7f6-x7gv

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo