CVE-2025-3155

NameCVE-2025-3155
DescriptionA flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1102080

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
yelp (PTS)bullseye3.38.3-1vulnerable
bookworm42.2-1vulnerable
trixie42.2-2vulnerable
sid42.2-3fixed
yelp-xsl (PTS)bullseye3.38.3-1vulnerable
bookworm42.1-2vulnerable
trixie42.1-3vulnerable
sid42.1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
yelpsource(unstable)42.2-31102080
yelp-xslsource(unstable)42.1-4

Notes

[bullseye] - yelp <postponed> (Minor issue, revisit when fixed upstream)
https://bugzilla.redhat.com/show_bug.cgi?id=2357091
https://www.openwall.com/lists/oss-security/2025/04/04/1
https://gitlab.gnome.org/GNOME/yelp/-/issues/221

Search for package or bug name: Reporting problems