CVE-2025-3155: 
NixOS vulnerability analysis and mitigation

A security vulnerability (CVE-2025-3155) was discovered in Yelp, the GNOME user help application that comes pre-installed on Ubuntu desktop systems. The vulnerability was disclosed on April 3, 2025, and affects the way Yelp handles the 'ghelp://' URI scheme. The flaw allows help documents to execute arbitrary JavaScript, potentially leading to unauthorized file access and data exfiltration (NVD, Security Online).

The vulnerability stems from Yelp's processing of .page files, which are XML files using the Mallard schema. These files can use XInclude, an XML inclusion mechanism that is enabled by default. Yelp uses an XSLT application (yelp-xsl) to transform the .page file into HTML, which is then rendered by WebKitGtk. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (NVD, Security Online).

The vulnerability allows malicious help documents to exfiltrate user files to a remote server. An attacker can potentially access sensitive files such as SSH keys and other confidential information stored on the victim's system. The attack is particularly concerning as it can be executed through a malicious website that downloads a help document without user intervention (Security Online, Openwall).

The primary mitigation recommended is to avoid opening untrusted custom-scheme links. While there are proposed patches in the bug report, none have been officially committed to the git repository as of the initial disclosure (Openwall).