CVE-2025-71385

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document (into a text element) without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a URL such as /api/v2/ilove.svg?love=<script>...</script>; when a victim navigates to it the injected script executes in the victim browser in the origin of the Netdata instance (reflected cross-site scripting). These endpoints are registered with HTTP_ACL_NOCHECK and anonymous access and, because bearer-token protection is disabled by default, are reachable without authentication on a default Netdata agent. The issue was resolved by removing the ilove endpoint.
Configurations

Configuration 1 (hide)

cpe:2.3:a:netdata:netdata:*:*:*:*:*:*:*:*

History

07 Jul 2026, 17:31

Type Values Removed Values Added
References () https://github.com/netdata/netdata/commit/f82554fe9b21b5ae51a8663a3f4ddce84cac16af - () https://github.com/netdata/netdata/commit/f82554fe9b21b5ae51a8663a3f4ddce84cac16af - Patch
References () https://github.com/netdata/netdata/pull/19919 - () https://github.com/netdata/netdata/pull/19919 - Issue Tracking, Patch
References () https://github.com/netdata/netdata/releases/tag/v2.3.1 - () https://github.com/netdata/netdata/releases/tag/v2.3.1 - Product, Release Notes
References () https://www.vulncheck.com/advisories/netdata-reflected-cross-site-scripting-via-love-parameter-in-ilove-svg-endpoint - () https://www.vulncheck.com/advisories/netdata-reflected-cross-site-scripting-via-love-parameter-in-ilove-svg-endpoint - Patch, Release Notes, Third Party Advisory
CPE cpe:2.3:a:netdata:netdata:*:*:*:*:*:*:*:*
First Time Netdata netdata
Netdata

02 Jul 2026, 20:17

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-02 20:17

Updated : 2026-07-14 23:17


NVD link : CVE-2025-71385

Mitre link : CVE-2025-71385

CVE.ORG link : CVE-2025-71385


JSON object : View

Products Affected

netdata

  • netdata
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')