Main Vulnerability Database Vulnerabilities #VU128524

Untrusted search path in Claude Code - CVE-2025-59828

Published: April 30, 2026

Vulnerability identifier: #VU128524

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-59828

CWE-ID: CWE-426

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Claude Code

Software vendor:
Anthropic

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper trust management in plugin autoloading and Yarn configuration handling when running yarn --version in an untrusted directory. A remote attacker can place a specially crafted Yarn configuration file to execute arbitrary code.

User interaction is required because exploitation occurs before the user accepts the risks of working in an untrusted directory.

Remediation

Install security update from vendor's website.

External links

https://github.com/anthropics/claude-code/security/advisories/GHSA-2jjv-qf24-vfm4

Untrusted search path in Claude Code - CVE-2025-59828

Description

Remediation

External links

Please verify you're human