Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN818
_____________________________________________________________________

DATE                : 20/11/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Claude Code versions prior to
                                         1.0.39.

=====================================================================
https://github.com/anthropics/claude-code/security/advisories/GHSA-5hhx-v7f6-x7gv
_____________________________________________________________________


Command execution prior to Claude Code startup trust dialog
High
ddworken published GHSA-5hhx-v7f6-x7gv Nov 19, 2025

Package
@anthropic-ai/claude-code (npm)

Affected versions
<v1.0.39

Patched versions
v1.0.39


Description

When running on a machine with Yarn 3.0 or above, Claude Code could
have been tricked to execute code contained in a project via yarn
plugins before the user accepted the startup trust dialog. Exploiting
this would have required a user to start Claude Code in an untrusted
directory and to be using Yarn 3.0 or above.

Users on standard Claude Code auto-update will have received this fix
automatically. Users performing manual updates are advised to update
to the latest version.

Thank you to Benjamin Faller, Redguard AG and Michael Hess for
reporting this issue!


Severity
High
7.7/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User interaction Passive
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID
CVE-2025-65099

Weaknesses
Weakness CWE-94 


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================