PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-71385 netdata CVE debrief

CVE-2025-71385 is a reflected cross-site scripting vulnerability in Netdata before version 2.3.1. The vulnerability exists in the api/v2/ilove.svg and api/v3/ilove.svg endpoints, which reflect user-supplied input from the 'love' query parameter into the generated SVG document without proper escaping. This allows an attacker to inject malicious scripts that execute in the victim's browser within the origin of the Netdata instance. The affected endpoints are accessible without authentication on a default Netdata agent due to disabled bearer-token protection. The issue was resolved by removing the ilove endpoint. The CVSS score for this vulnerability is 5.1, indicating a medium severity level.

Vendor
netdata
Product
Unknown
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-02
Original CVE updated
2026-07-07
Advisory published
2026-07-02
Advisory updated
2026-07-07

Who should care

Users of Netdata prior to version 2.3.1 should apply the patch or upgrade to mitigate the risk of reflected cross-site scripting attacks. This includes operators of Netdata instances, platform administrators, vulnerability management teams, and security teams who need to assess the impact of this vulnerability on their environments.

Technical summary

The vulnerability is caused by the lack of HTML or XML escaping in the reflection of user-supplied input from the 'love' query parameter into the generated SVG document. This allows for the injection of malicious scripts. The CVSS score for this vulnerability is 5.1, indicating a medium severity level. The vulnerability can be exploited without authentication due to the disabled bearer-token protection by default. The issue was resolved by removing the ilove endpoint.

Defensive priority

Medium priority due to the CVSS score of 5.1 and the potential for reflected cross-site scripting attacks.

Recommended defensive actions

  • Upgrade to Netdata version 2.3.1 or later
  • Apply patches as referenced in the vendor advisories
  • Review and adjust authentication and authorization settings for Netdata agents
  • Monitor for suspicious activity on Netdata instances
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-02T20:17:00.420Z and was last modified on 2026-07-07T17:31:58.280Z. The NVD entry is currently Analyzed. The vulnerability exists in Netdata before version 2.3.1, specifically in the api/v2/ilove.svg and api/v3/ilove.svg endpoints. These endpoints reflect user-supplied input from the 'love' query parameter into the generated SVG document without proper escaping, allowing for the injection of malicious scripts. The CVSS score for this vulnerability is 5.1, indicating a medium severity level. The affected endpoints are accessible without authentication on a default Netdata agent due to disabled bearer-token protection. The issue was resolved by removing the ilove endpoint. Evidence limits suggest that defenders verify the patching status of Netdata instances and monitor for suspicious activity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-02T20:17:00.420Z and has not been modified since then. The NVD entry is currently Analyzed.