A proof-of-concept (PoC) exploit has been released for CVE-2025-3155, a critical vulnerability in GNOME’s Yelp help viewer that enables attackers to exfiltrate SSH keys and other sensitive files from Ubuntu systems. 

The flaw leverages improper handling of the ghelp:// URI scheme and XML processing to execute arbitrary JavaScript, exposing millions of Linux desktop users to potential data theft.

Yelp, preinstalled on Ubuntu and other GNOME-based distributions, processes .page files using the Mallard XML schema.

Vulnerability Details

These files support XInclude, an XML inclusion mechanism that attackers exploited to inject malicious content. The vulnerability chain involves three key components:

ghelp URI Scheme:

Github reports that Yelp registers itself as the handler for ghelp:// URIs. A malicious link like ghelp:///proc/self/cwd/Downloads can trigger parsing of attacker-controlled .page files.

XInclude Arbitrary File Read:

Attackers craft .page files with directives like:

This allows the inclusion of system files (e.g., /proc/self/cwd/.ssh/id_rsa) into the rendered document.

SVG-Based Script Injection:

Yelp’s XSLT processor copies elements verbatim to the output HTML. Attackers embed JavaScript within SVG tags to exfiltrate data:

This script sends stolen files to a remote server when the page loads.

Application Security is no longer just a defensive play, Time to Secure -> Free Webinar

Exploit Workflow

The PoC exploit involves two phases:

A malicious webpage uses JavaScript to force-download a .page file to the victim’s Downloads folder:

The same page redirects to ghelp:///proc/self/cwd/Downloads, causing Yelp to parse the malicious .page file and execute the embedded script.

Affected Systems include Ubuntu 22.04 LTS and other GNOME-based distributions using Yelp ≥42.1.

With CVSS 6.5, rated as moderate, the vulnerability requires user interaction (clicking a link) and partial reliance on guessing file paths.

Attackers leverage GNOME’s default $HOME as the working directory for browsers, using /proc/self/cwd to reference Downloads/ without knowing the username.

Mitigation Recommendations

Avoid Untrusted Links: Do not click ghelp:// URIs from unverified sources.

Patch Management: Monitor for official updates from GNOME and Ubuntu. As of April 8, 2025, no committed patches exist, though proposed fixes are under review.

Network Segmentation: Restrict external access to systems running vulnerable Yelp versions.

The discovery highlights risks in XML processing and custom URI handlers across Linux desktop ecosystems. 

While user interaction is required, the ease of social engineering combined with this flaw creates a significant attack surface for credential theft and lateral movement. 

System administrators should prioritize user education and endpoint monitoring until official patches are released.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try 50 Request for Free