Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible unauthenticated endpoint (PR:N, AV:N); scope changes to victim browser (S:C); user must click crafted link (UI:R); limited C/I from in-origin script execution, no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document (into a text element) without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a URL such as /api/v2/ilove.svg?love=<script>...</script>; when a victim navigates to it the injected script executes in the victim browser in the origin of the Netdata instance (reflected cross-site scripting). These endpoints are registered with HTTP_ACL_NOCHECK and anonymous access and, because bearer-token protection is disabled by default, are reachable without authentication on a default Netdata agent. The issue was resolved by removing the ilove endpoint.
AnalysisAI
Reflected XSS in Netdata before 2.3.1 allows unauthenticated network attackers to inject and execute arbitrary JavaScript in a victim's browser within the Netdata origin by crafting a malicious URL targeting the /api/v2/ilove.svg or /api/v3/ilove.svg endpoints. The love query parameter is embedded verbatim into an SVG response served as image/svg+xml, a MIME type browsers treat as an active scripting context. These endpoints are explicitly registered with HTTP_ACL_NOCHECK and bearer-token protection is off by default, making this a zero-prerequisite server-side exposure requiring only victim interaction - no public exploit or CISA KEV listing exists at time of analysis, but the attack is trivially reproducible from the description alone.
Technical ContextAI
Netdata's built-in web server exposes /api/v2/ilove.svg and /api/v3/ilove.svg endpoints that accept a love query parameter and interpolate it directly into a dynamically generated SVG document inside a <text> element. SVG is an XML-based format, and when a browser loads an SVG document served with Content-Type: image/svg+xml, it parses and executes embedded <script> tags as live JavaScript in the document's origin - unlike a plain image/png, SVG is an active content type. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the absence of HTML/XML escaping before embedding user input into an XML document. Compounding this, the endpoints were registered with the internal flag HTTP_ACL_NOCHECK, which bypasses Netdata's normal access control layer, and the default configuration disables bearer-token authentication. The affected CPE is cpe:2.3:a:netdata:netdata:*:*:*:*:*:*:*:* covering all releases before v2.3.1.
RemediationAI
Upgrade to Netdata v2.3.1 or later, which resolves the issue by removing the ilove endpoint entirely rather than patching the escaping logic - this eliminates the attack surface. The release is available at https://github.com/netdata/netdata/releases/tag/v2.3.1. If immediate upgrade is not possible, block access to /api/v2/ilove.svg and /api/v3/ilove.svg at the reverse proxy or firewall level (e.g., via nginx location deny rules or WAF path-based blocking); this prevents the crafted URL from being served to victims but leaves the underlying vulnerable code in place and does not address other potential endpoint issues. A broader compensating control is restricting the Netdata web interface to trusted internal network ranges only, significantly reducing the realistic victim pool for phishing-delivered crafted URLs. Note that blocking at the network layer does not help if internal users can still be social-engineered.
Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Rated critical severity (C
Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Rated critical severity (C
The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an impor
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210409
GHSA-rwcv-c3fr-4hrw