Yelp: arbitrary file read
Summary
| CVE | CVE-2025-3155 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-04-03 14:15:46 UTC |
| Updated | 2026-06-29 21:16:36 UTC |
| Description | A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment. |
Risk And Classification
Primary CVSS: v3.1 7.4 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
EPSS: 0.105980000 probability, percentile 0.952290000 (date 2026-07-01)
Problem Types: CWE-601 | CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 7.4 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N |
| 3.1 | CNA | CVSS | 7.4 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
ChangedConfidentiality
HighIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| bugzilla.redhat.com/show_bug.cgi | [email protected] | bugzilla.redhat.com | Exploit, Issue Tracking, Third Party Advisory |
| access.redhat.com/errata/RHSA-2025:4457 | [email protected] | access.redhat.com | Third Party Advisory |
| gist.github.com/parrot409/e970b155358d45b298d7024edd9b17f2 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | gist.github.com | Exploit, Third Party Advisory |
| access.redhat.com/errata/RHSA-2025:4451 | [email protected] | access.redhat.com | Third Party Advisory |
| access.redhat.com/errata/RHSA-2025:7569 | [email protected] | access.redhat.com | Third Party Advisory |
| access.redhat.com/errata/RHSA-2025:4456 | [email protected] | access.redhat.com | Third Party Advisory |
| gitlab.gnome.org/GNOME/yelp/-/issues/221 | [email protected] | gitlab.gnome.org | |
| www.openwall.com/lists/oss-security/2025/04/04/1 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List |
| access.redhat.com/errata/RHSA-2025:7430 | [email protected] | access.redhat.com | Third Party Advisory |
| access.redhat.com/security/cve/CVE-2025-3155 | [email protected] | access.redhat.com | Third Party Advisory |
| lists.debian.org/debian-lts-announce/2025/05/msg00037.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | Mailing List |
| access.redhat.com/errata/RHSA-2025:4455 | [email protected] | access.redhat.com | Third Party Advisory |
| lists.debian.org/debian-lts-announce/2025/05/msg00036.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | Mailing List |
| access.redhat.com/errata/RHSA-2025:4532 | [email protected] | access.redhat.com | Third Party Advisory |
| access.redhat.com/errata/RHSA-2025:4505 | [email protected] | access.redhat.com | Third Party Advisory |
| access.redhat.com/errata/RHSA-2025:4450 | [email protected] | access.redhat.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2025-04-03T01:57:56.192Z | Reported to Red Hat. |
| CNA | 2025-04-03T00:00:00.000Z | Made public. |
Workarounds
CNA: Currently, no mitigation is available for this vulnerability.
There are currently no legacy QID mappings associated with this CVE.