CVE Catalog

CVE-2025-71385

MediumCVSS 6.1
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

13th percentile — higher than 13% of all known CVEs

Summary

Reflected XSS vulnerability in Netdata before 2.3.1 in api/v2/ilove.svg and api/v3/ilove.svg endpoints. An attacker can inject malicious JavaScript via the love parameter, which is reflected in the SVG response without proper encoding. The endpoints are accessible without authentication, allowing remote script execution in the victim's browser.

Risk Assessment

The risk includes session theft, credential capture, or unauthorized actions in the context of the victim's Netdata session. The attack can be used for phishing or malware distribution.

Recommendation

Immediately upgrade Netdata to version 2.3.1 or later, which removes the vulnerable endpoint. If upgrade is not possible, block access to /api/v2/ilove.svg and /api/v3/ilove.svg endpoints via firewall or server configuration.

Original NVD description (English source)

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document (into a text element) without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a URL such as /api/v2/ilove.svg?love=<script>...</script>; when a victim navigates to it the injected script executes in the victim browser in the origin of the Netdata instance (reflected cross-site scripting). These endpoints are registered with HTTP_ACL_NOCHECK and anonymous access and, because bearer-token protection is disabled by default, are reachable without authentication on a default Netdata agent. The issue was resolved by removing the ilove endpoint.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS