CVE-2025-65099: 
JavaScript vulnerability analysis and mitigation

CVE-2025-65099 affects Claude Code, an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could be exploited to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. The vulnerability was disclosed on November 19, 2025 (NVD, GitHub Advisory).

The vulnerability is classified as CWE-94 (Improper Control of Generation of Code). It has received a CVSS v4.0 base score of 7.7 (HIGH) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, and a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to execute arbitrary code via yarn plugins before the user accepts the startup trust dialog, potentially leading to complete system compromise. The high severity scores indicate significant potential impact on confidentiality, integrity, and availability of the affected system (NVD).

The vulnerability has been patched in Claude Code version 1.0.39. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version (Miggo).