Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document (into a text element) without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a URL such as /api/v2/ilove.svg?love=<script>...</script>; when a victim navigates to it the injected script executes in the victim browser in the origin of the Netdata instance (reflected cross-site scripting). These endpoints are registered with HTTP_ACL_NOCHECK and anonymous access and, because bearer-token protection is disabled by default, are reachable without authentication on a default Netdata agent. The issue was resolved by removing the ilove endpoint.
References
| Link | Resource |
|---|---|
| https://github.com/netdata/netdata/commit/f82554fe9b21b5ae51a8663a3f4ddce84cac16af | Patch |
| https://github.com/netdata/netdata/pull/19919 | Issue Tracking Patch |
| https://github.com/netdata/netdata/releases/tag/v2.3.1 | Product Release Notes |
| https://www.vulncheck.com/advisories/netdata-reflected-cross-site-scripting-via-love-parameter-in-ilove-svg-endpoint | Patch Release Notes Third Party Advisory |
Configurations
History
07 Jul 2026, 17:31
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/netdata/netdata/commit/f82554fe9b21b5ae51a8663a3f4ddce84cac16af - Patch | |
| References | () https://github.com/netdata/netdata/pull/19919 - Issue Tracking, Patch | |
| References | () https://github.com/netdata/netdata/releases/tag/v2.3.1 - Product, Release Notes | |
| References | () https://www.vulncheck.com/advisories/netdata-reflected-cross-site-scripting-via-love-parameter-in-ilove-svg-endpoint - Patch, Release Notes, Third Party Advisory | |
| CPE | cpe:2.3:a:netdata:netdata:*:*:*:*:*:*:*:* | |
| First Time |
Netdata netdata
Netdata |
02 Jul 2026, 20:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-02 20:17
Updated : 2026-07-14 23:17
NVD link : CVE-2025-71385
Mitre link : CVE-2025-71385
CVE.ORG link : CVE-2025-71385
JSON object : View
Products Affected
netdata
- netdata
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
