| Name | CVE-2025-3155 |
| Description | A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1102080 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| yelp (PTS) | bullseye | 3.38.3-1 | vulnerable |
| bookworm | 42.2-1 | vulnerable |
| trixie | 42.2-2 | vulnerable |
| sid | 42.2-3 | fixed |
| yelp-xsl (PTS) | bullseye | 3.38.3-1 | vulnerable |
| bookworm | 42.1-2 | vulnerable |
| trixie | 42.1-3 | vulnerable |
| sid | 42.1-4 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| yelp | source | (unstable) | 42.2-3 | | | 1102080 |
| yelp-xsl | source | (unstable) | 42.1-4 | | | |
Notes
[bullseye] - yelp <postponed> (Minor issue, revisit when fixed upstream)
https://bugzilla.redhat.com/show_bug.cgi?id=2357091
https://www.openwall.com/lists/oss-security/2025/04/04/1
https://gitlab.gnome.org/GNOME/yelp/-/issues/221