Skip to main content

Netdata EUVDEUVD-2025-210409

| CVE-2025-71385 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 VulnCheck GHSA-rwcv-c3fr-4hrw
5.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network-accessible unauthenticated endpoint (PR:N, AV:N); scope changes to victim browser (S:C); user must click crafted link (UI:R); limited C/I from in-origin script execution, no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 20:31 vuln.today
CVSS changed
Jul 02, 2026 - 20:22 NVD
6.1 (MEDIUM) 5.1 (MEDIUM)

DescriptionCVE.org

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document (into a text element) without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a URL such as /api/v2/ilove.svg?love=<script>...</script>; when a victim navigates to it the injected script executes in the victim browser in the origin of the Netdata instance (reflected cross-site scripting). These endpoints are registered with HTTP_ACL_NOCHECK and anonymous access and, because bearer-token protection is disabled by default, are reachable without authentication on a default Netdata agent. The issue was resolved by removing the ilove endpoint.

AnalysisAI

Reflected XSS in Netdata before 2.3.1 allows unauthenticated network attackers to inject and execute arbitrary JavaScript in a victim's browser within the Netdata origin by crafting a malicious URL targeting the /api/v2/ilove.svg or /api/v3/ilove.svg endpoints. The love query parameter is embedded verbatim into an SVG response served as image/svg+xml, a MIME type browsers treat as an active scripting context. These endpoints are explicitly registered with HTTP_ACL_NOCHECK and bearer-token protection is off by default, making this a zero-prerequisite server-side exposure requiring only victim interaction - no public exploit or CISA KEV listing exists at time of analysis, but the attack is trivially reproducible from the description alone.

Technical ContextAI

Netdata's built-in web server exposes /api/v2/ilove.svg and /api/v3/ilove.svg endpoints that accept a love query parameter and interpolate it directly into a dynamically generated SVG document inside a <text> element. SVG is an XML-based format, and when a browser loads an SVG document served with Content-Type: image/svg+xml, it parses and executes embedded <script> tags as live JavaScript in the document's origin - unlike a plain image/png, SVG is an active content type. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the absence of HTML/XML escaping before embedding user input into an XML document. Compounding this, the endpoints were registered with the internal flag HTTP_ACL_NOCHECK, which bypasses Netdata's normal access control layer, and the default configuration disables bearer-token authentication. The affected CPE is cpe:2.3:a:netdata:netdata:*:*:*:*:*:*:*:* covering all releases before v2.3.1.

RemediationAI

Upgrade to Netdata v2.3.1 or later, which resolves the issue by removing the ilove endpoint entirely rather than patching the escaping logic - this eliminates the attack surface. The release is available at https://github.com/netdata/netdata/releases/tag/v2.3.1. If immediate upgrade is not possible, block access to /api/v2/ilove.svg and /api/v3/ilove.svg at the reverse proxy or firewall level (e.g., via nginx location deny rules or WAF path-based blocking); this prevents the crafted URL from being served to victims but leaves the underlying vulnerable code in place and does not address other potential endpoint issues. A broader compensating control is restricting the Netdata web interface to trusted internal network ranges only, significantly reducing the realistic victim pool for phishing-delivered crafted URLs. Note that blocking at the network layer does not help if internal users can still be social-engineered.

Share

EUVD-2025-210409 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy