The flaw leverages improper handling of the ghelp:// URI scheme and XML processing to execute arbitrary JavaScript, exposing millions of Linux desktop users to potential data theft.
Yelp, preinstalled on Ubuntu and other GNOME-based distributions, processes .page files using the Mallard XML schema.
These files support XInclude, an XML inclusion mechanism that attackers exploited to inject malicious content. The vulnerability chain involves three key components:
ghelp URI Scheme:
Github reports that Yelp registers itself as the handler for ghelp:// URIs. A malicious link like ghelp:///proc/self/cwd/Downloads can trigger parsing of attacker-controlled .page files.
XInclude Arbitrary File Read:
Attackers craft .page files with directives like:
This allows the inclusion of system files (e.g., /proc/self/cwd/.ssh/id_rsa) into the rendered document.
SVG-Based Script Injection:
Yelp’s XSLT processor copies <svg> elements verbatim to the output HTML. Attackers embed JavaScript within SVG tags to exfiltrate data:
This script sends stolen files to a remote server when the page loads.
Application Security is no longer just a defensive play, Time to Secure -> Free Webinar
The PoC exploit involves two phases:
A malicious webpage uses JavaScript to force-download a .page file to the victim’s Downloads folder:
The same page redirects to ghelp:///proc/self/cwd/Downloads, causing Yelp to parse the malicious .page file and execute the embedded script.
Affected Systems include Ubuntu 22.04 LTS and other GNOME-based distributions using Yelp ≥42.1.
With CVSS 6.5, rated as moderate, the vulnerability requires user interaction (clicking a link) and partial reliance on guessing file paths.
Attackers leverage GNOME’s default $HOME as the working directory for browsers, using /proc/self/cwd to reference Downloads/ without knowing the username.
Avoid Untrusted Links: Do not click ghelp:// URIs from unverified sources.
Patch Management: Monitor for official updates from GNOME and Ubuntu. As of April 8, 2025, no committed patches exist, though proposed fixes are under review.
Network Segmentation: Restrict external access to systems running vulnerable Yelp versions.
The discovery highlights risks in XML processing and custom URI handlers across Linux desktop ecosystems.
While user interaction is required, the ease of social engineering combined with this flaw creates a significant attack surface for credential theft and lateral movement.
System administrators should prioritize user education and endpoint monitoring until official patches are released.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
The post PoC Exploit Released for Yelp Flaw that Exposes SSH Keys on Ubuntu Systems appeared first on Cyber Security News.
When Daredevil: Born Again debuted last year, many fans weren’t particularly happy with the way…
McDonald's has introduced a brand-new Pro Game Menu and an 'Archie' device that will keep…
A RollerCoaster Tycoon 2 superfan has created what is believed to be the longest rollercoaster…
Baskets of ballots sit at a new ballot processing center in Thurston County, Washington, on…
In a bid to encourage voter turnout for Wisconsin's primary election, the city of Beloit…
The Dari Ripple in South Beloit has officially opened its doors for the season.
This website uses cookies.