PatchSiren cyber security CVE debrief
CVE-2025-71385 netdata CVE debrief
CVE-2025-71385 is a reflected cross-site scripting vulnerability in Netdata before version 2.3.1. The vulnerability exists in the api/v2/ilove.svg and api/v3/ilove.svg endpoints, which reflect user-supplied input from the 'love' query parameter into the generated SVG document without proper escaping. This allows an attacker to inject malicious scripts that execute in the victim's browser within the origin of the Netdata instance. The affected endpoints are accessible without authentication on a default Netdata agent due to disabled bearer-token protection. The issue was resolved by removing the ilove endpoint. The CVSS score for this vulnerability is 5.1, indicating a medium severity level.
- Vendor
- netdata
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-02
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-02
- Advisory updated
- 2026-07-07
Who should care
Users of Netdata prior to version 2.3.1 should apply the patch or upgrade to mitigate the risk of reflected cross-site scripting attacks. This includes operators of Netdata instances, platform administrators, vulnerability management teams, and security teams who need to assess the impact of this vulnerability on their environments.
Technical summary
The vulnerability is caused by the lack of HTML or XML escaping in the reflection of user-supplied input from the 'love' query parameter into the generated SVG document. This allows for the injection of malicious scripts. The CVSS score for this vulnerability is 5.1, indicating a medium severity level. The vulnerability can be exploited without authentication due to the disabled bearer-token protection by default. The issue was resolved by removing the ilove endpoint.
Defensive priority
Medium priority due to the CVSS score of 5.1 and the potential for reflected cross-site scripting attacks.
Recommended defensive actions
- Upgrade to Netdata version 2.3.1 or later
- Apply patches as referenced in the vendor advisories
- Review and adjust authentication and authorization settings for Netdata agents
- Monitor for suspicious activity on Netdata instances
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-02T20:17:00.420Z and was last modified on 2026-07-07T17:31:58.280Z. The NVD entry is currently Analyzed. The vulnerability exists in Netdata before version 2.3.1, specifically in the api/v2/ilove.svg and api/v3/ilove.svg endpoints. These endpoints reflect user-supplied input from the 'love' query parameter into the generated SVG document without proper escaping, allowing for the injection of malicious scripts. The CVSS score for this vulnerability is 5.1, indicating a medium severity level. The affected endpoints are accessible without authentication on a default Netdata agent due to disabled bearer-token protection. The issue was resolved by removing the ilove endpoint. Evidence limits suggest that defenders verify the patching status of Netdata instances and monitor for suspicious activity.
Official resources
-
CVE-2025-71385 CVE record
CVE.org
-
CVE-2025-71385 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Patch, Release Notes, Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-02T20:17:00.420Z and has not been modified since then. The NVD entry is currently Analyzed.