Primary

Context

Claude Code Command Execution Vulnerability Prior to Trust Dialog Acceptance

Vulnerability

A command execution vulnerability has been identified in Claude Code versions prior to 1.0.39, when running on a machine with Yarn 3.0 or above. The issue arises from the application's ability to execute code from a project via Yarn plugins before the user has accepted the startup trust dialog. Exploitation of this vulnerability would require the user to launch Claude Code in an untrusted directory while using Yarn 3.0 or above.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution within the context of the user running Claude Code.

Remediation

Users on the standard Claude Code auto-update will have received the fix automatically. Those performing manual updates are advised to update to the latest version.

Added: Nov 19, 2025, 6:31 PM

Updated: Nov 19, 2025, 7:16 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.0

remediation

7.7

relevance

1.1

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.0

remediation

7.7

relevance

1.1

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Claude Code Command Execution Vulnerability Prior to Trust Dialog Acceptance

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating