CVE-2025-71385
Received Received - Intake

Reflected XSS in Netdata API Endpoints

Vulnerability report for CVE-2025-71385, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document (into a text element) without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a URL such as /api/v2/ilove.svg?love=<script>...</script>; when a victim navigates to it the injected script executes in the victim browser in the origin of the Netdata instance (reflected cross-site scripting). These endpoints are registered with HTTP_ACL_NOCHECK and anonymous access and, because bearer-token protection is disabled by default, are reachable without authentication on a default Netdata agent. The issue was resolved by removing the ilove endpoint.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
netdata netdata to 2.3.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-71385 is a reflected Cross-Site Scripting (XSS) vulnerability in Netdata versions before 2.3.1. It occurs because the 'love' query parameter in the api/v2/ilove.svg and api/v3/ilove.svg endpoints is reflected directly into the generated SVG document without any HTML or XML escaping.

An attacker can craft a malicious URL containing a script tag in the 'love' parameter, such as '/api/v2/ilove.svg?love=<script>...</script>'. When a victim accesses this URL, the injected script executes in the victim's browser within the origin of the Netdata instance.

These endpoints are accessible without authentication by default because bearer-token protection is disabled and they are registered with HTTP_ACL_NOCHECK and anonymous access. The vulnerability was fixed by removing the vulnerable 'ilove' endpoint entirely.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary JavaScript code in the browser of anyone who visits a crafted malicious URL pointing to the vulnerable Netdata instance.

Such reflected XSS attacks can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of the victim, or delivery of further malicious payloads.

Because the vulnerable endpoints are accessible without authentication by default, any user or external party can be targeted simply by tricking them into visiting the malicious URL.

Detection Guidance

This vulnerability can be detected by checking if your Netdata instance is running a version prior to 2.3.1 and if the endpoints /api/v2/ilove.svg or /api/v3/ilove.svg are accessible without authentication.

You can attempt to detect the vulnerability by sending a crafted HTTP request to these endpoints with the 'love' query parameter containing a test script and observing if the response SVG reflects the input without escaping.

  • Use curl to send a test request: curl -i 'http://<netdata-host>/api/v2/ilove.svg?love=<script>alert(1)</script>'
  • Check the response content-type header to confirm it is 'image/svg+xml' and inspect the SVG content for unescaped script tags.
  • Verify the Netdata version by running: netdata -v or checking the version in the web UI to ensure it is 2.3.1 or later.
Mitigation Strategies

The immediate mitigation step is to upgrade Netdata to version 2.3.1 or later, where the vulnerable 'ilove' endpoint has been completely removed.

If upgrading immediately is not possible, restrict access to the vulnerable endpoints by configuring network-level controls or firewall rules to block unauthenticated access to /api/v2/ilove.svg and /api/v3/ilove.svg.

Additionally, review and disable any bearer-token protection settings if they are disabled by default, to ensure authentication is required for accessing sensitive endpoints.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71385. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart