CVE-2025-71385

Source
https://cve.org/CVERecord?id=CVE-2025-71385
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71385.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-71385
Downstream
Published
2026-07-02T19:37:42.359Z
Modified
2026-07-09T04:00:44.936246633Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Netdata < 2.3.1 - Reflected Cross-Site Scripting via love Parameter in ilove.svg Endpoint
Details

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document (into a text element) without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a URL such as /api/v2/ilove.svg?love=<script>...</script>; when a victim navigates to it the injected script executes in the victim browser in the origin of the Netdata instance (reflected cross-site scripting). These endpoints are registered with HTTPACLNOCHECK and anonymous access and, because bearer-token protection is disabled by default, are reachable without authentication on a default Netdata agent. The issue was resolved by removing the ilove endpoint.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71385.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/netdata/netdata

Affected ranges

Type
GIT
Repo
https://github.com/netdata/netdata
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:netdata:netdata:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.3.1"
        }
    ]
}

Affected versions

1.*
1.32.1
1.34.0
Other
untagged-10d59b9e5fa68b9500e1
v0.*
v0.1
v0.2
v1.*
v1.0.0
v1.0rc
v1.1.0
v1.10.0
v1.11.0
v1.11.1
v1.12.0
v1.12.0-rc0
v1.12.0-rc1
v1.12.0-rc2
v1.12.0-rc3
v1.12.1
v1.12.2
v1.13.0
v1.14.0
v1.14.0-rc0
v1.15.0
v1.16.0
v1.16.1
v1.17.0
v1.17.1
v1.18.0
v1.18.1
v1.19.0
v1.2.0
v1.20.0
v1.21.0
v1.21.1
v1.22.0
v1.22.1
v1.23.0
v1.23.1
v1.23.1_infiniband
v1.23.2
v1.24.0
v1.25.0
v1.26.0
v1.27.0
v1.27.0_0104103941
v1.28.0
v1.29.0
v1.29.1
v1.29.2
v1.29.3
v1.3.0
v1.30.0
v1.30.1
v1.31.0
v1.32.0
v1.32.1
v1.33.0
v1.33.1
v1.34.0
v1.35.0
v1.36.0
v1.37.0
v1.38.0
v1.39.0
v1.4.0
v1.40.0
v1.41.0
v1.42.0
v1.43.0
v1.44.0
v1.45.0
v1.46.0
v1.47.0
v1.5.0
v1.6.0
v1.7.0
v1.8.0
v1.9.0
v1.99.0
v2.*
v2.0.0
v2.1.0
v2.2.0
v2.3.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71385.json"