GHSA-2jjv-qf24-vfm4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2jjv-qf24-vfm4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-2jjv-qf24-vfm4/GHSA-2jjv-qf24-vfm4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2jjv-qf24-vfm4
- Aliases
-
- CVE-2025-59828
- Published
- 2025-09-24T18:57:44Z
- Modified
- 2025-09-26T17:49:05Z
- Severity
-
- 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions
- Details
-
Summary
In Claude Code versions prior to 1.0.39, when the tool is used with Yarn 2.x or newer (Berry), Yarn plugins are automatically loaded and executed when running
yarn --version. In Claude Code this sequence could execute plugin code before the user accepts the directory trust prompt for an untrusted workspace, resulting in a potential arbitrary code execution path. Yarn Classic (v1) is not affected. The issue is fixed in 1.0.39.Impact
An attacker who can influence the project directory to include or reference a malicious Yarn plugin, or who can otherwise cause plugin execution in an untrusted directory, may achieve code execution on the machine where Claude Code is invoked. The vulnerability compromises the confidentiality, integrity and availability of the vulnerable host process.
Remediation
Update Claude Code to 1.0.39 or later. Users on auto-update channels receive the fix automatically; manual installations should upgrade explicitly. As defense in depth, avoid running Yarn in untrusted directories and prefer Yarn Classic when plugin functionality is not required.
Background
Yarn 2+ supports a plugin architecture in which plugins are loaded at runtime and can inject behavior into Yarn commands; this capability underpins the observed auto-execution on
yarn --version.
Thank you to https://hackerone.com/michel_ for reporting this issue!
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-829", "CWE-862" ], "severity": "HIGH", "github_reviewed_at": "2025-09-24T18:57:44Z", "nvd_published_at": "2025-09-24T20:15:33Z" }- References
-
- https://github.com/anthropics/claude-code/security/advisories/GHSA-2jjv-qf24-vfm4
- https://nvd.nist.gov/vuln/detail/CVE-2025-59828
- https://github.com/anthropics/claude-code
- https://osv.dev/vulnerability/GHSA-2jjv-qf24-vfm4
- https://www.cve.org/CVERecord?id=CVE-2025-59828
- https://yarnpkg.com/advanced/plugin-tutorial
Affected packages
npm / @anthropic-ai/claude-code
Package
- Name
- @anthropic-ai/claude-code
- View open source insights on deps.dev
- Purl
- pkg:npm/%40anthropic-ai/claude-code