CVE-2025-3155 Overview
A critical security flaw has been identified in Gnome Yelp, the default help application for the GNOME desktop environment. The vulnerability allows help documents to execute arbitrary scripts, enabling malicious actors to craft specially designed help files that can exfiltrate user data to external systems. This represents a significant threat to desktop Linux users, as Yelp is widely deployed across enterprise and consumer Linux distributions.
Critical Impact
Malicious help documents can execute arbitrary scripts and exfiltrate sensitive user files to attacker-controlled external environments, compromising confidentiality of user data.
Affected Products
- Gnome Yelp (version 42.2-8 and potentially other versions)
- Debian Linux 11.0
- Red Hat Enterprise Linux 8.0 and 9.0 (including EUS, AUS, TUS variants)
- Red Hat CodeReady Linux Builder (multiple versions and architectures)
- Red Hat Enterprise Linux for ARM64, IBM Z Systems, and Power Little Endian
Discovery Timeline
- April 3, 2025 - CVE-2025-3155 published to NVD
- April 4, 2025 - Public disclosure via OpenWall OSS-Security mailing list
- August 12, 2025 - Last updated in NVD database
Technical Details for CVE-2025-3155
Vulnerability Analysis
This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site / Open Redirect), though its exploitation extends beyond simple redirection. The flaw exists in how Yelp processes and renders help documents, failing to properly sanitize or restrict script execution within the document context.
The attack requires user interaction—specifically, a user must open a malicious help document. Once opened, the embedded scripts execute within the context of Yelp's rendering engine, which has access to the local file system. This enables attackers to read sensitive files and transmit them to external servers controlled by the attacker.
The vulnerability poses particular risk in environments where users may receive help documents from untrusted sources, such as third-party application bundles, documentation packages, or social engineering attacks distributing malicious .page files.
Root Cause
The root cause stems from insufficient input validation and sandboxing within Yelp's document rendering pipeline. Help documents, typically written in Mallard XML format, are processed without adequate restrictions on embedded scripting capabilities. The application fails to enforce a proper security boundary between document content and script execution, allowing untrusted content to interact with system resources.
Attack Vector
The attack vector is network-based, requiring user interaction to trigger the vulnerability. An attacker can exploit this vulnerability through several methods:
- Social Engineering: Distributing malicious help documents via email, messaging, or file sharing platforms, convincing users to open them
- Compromised Software Packages: Embedding malicious help files within software distributions or updates
- Web-Based Delivery: Hosting malicious .page files that trigger Yelp when downloaded and opened
Once a victim opens the crafted help document, embedded scripts execute without adequate sandboxing. These scripts can enumerate the file system, read sensitive user files (such as SSH keys, configuration files, or personal documents), and exfiltrate this data over the network to attacker-controlled infrastructure.
The attack results in confidentiality breach without requiring any elevated privileges, making it particularly dangerous for users operating under standard accounts.
Detection Methods for CVE-2025-3155
Indicators of Compromise
- Unexpected network connections originating from the Yelp process (yelp or /usr/bin/yelp)
- Presence of suspicious or unfamiliar help document files (.page extension) in user directories or temp folders
- Unusual file access patterns by the Yelp application, particularly reads of sensitive files like ~/.ssh/, .gnupg/, or credential files
- Outbound HTTP/HTTPS connections to unknown external hosts during or shortly after Yelp execution
Detection Strategies
- Monitor process behavior for the Yelp application, flagging any network connections or unusual file system access patterns
- Implement file integrity monitoring on sensitive user directories to detect unauthorized read attempts
- Deploy network traffic analysis to identify data exfiltration patterns from desktop applications
- Use endpoint detection rules to alert on script-like content execution within document viewer contexts
Monitoring Recommendations
- Enable audit logging for file access events on sensitive directories (~/.ssh/, ~/.gnupg/, browser profile directories)
- Configure network monitoring to flag outbound connections from Yelp that connect to external IP addresses
- Review recently downloaded or received .page files for suspicious content before opening
- Implement application-level firewall rules restricting Yelp's network access to known-safe help repositories
How to Mitigate CVE-2025-3155
Immediate Actions Required
- Update Gnome Yelp to the latest patched version provided by your distribution
- Apply security updates from Red Hat (RHSA-2025:4450 through RHSA-2025:7569) or Debian as applicable
- Avoid opening help documents from untrusted or unknown sources
- Consider temporarily restricting or removing Yelp if updates cannot be immediately applied
Patch Information
Multiple vendors have released security patches addressing this vulnerability:
- Red Hat: Security advisories RHSA-2025:4450, RHSA-2025:4451, RHSA-2025:4455, RHSA-2025:4456, RHSA-2025:4457, RHSA-2025:4505, RHSA-2025:4532, RHSA-2025:7430, and RHSA-2025:7569
- Debian: Security announcements available via the Debian LTS mailing list
For detailed CVE information from Red Hat, refer to their CVE-2025-3155 security page. The issue is also tracked in Red Hat Bugzilla #2357091.
Workarounds
- Remove or disable the Yelp application if not required for daily operations using your package manager (e.g., sudo dnf remove yelp or sudo apt remove yelp)
- Configure application sandboxing solutions (such as Flatpak or Firejail) to restrict Yelp's network and file system access
- Implement strict file association policies to prevent automatic opening of .page files
- Block or quarantine help document files received from external sources until they can be verified
# Example: Remove Yelp on Red Hat-based systems
sudo dnf remove yelp
# Example: Remove Yelp on Debian-based systems
sudo apt remove yelp
# Alternative: Restrict Yelp network access using Firejail
firejail --net=none yelp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
