GHSA-rwcv-c3fr-4hrw
Netdata versions before 2.3.1 contain a reflected cross-site scripting (XSS) vulnerability in the api/v2/ilove.svg and api/v3/ilove.svg endpoints. These endpoints reflect the user-supplied 'love' query parameter directly into an SVG document without proper escaping, allowing script injection. The endpoints are accessible without authentication by default, as bearer-token protection is disabled and they are registered with HTTP_ACL_NOCHECK. The vulnerability was fixed by removing the ilove endpoint in version 2.3.1.
AI Analysis
Technical Summary
Netdata before version 2.3.1 has a reflected XSS vulnerability (CWE-79) in the api/v2/ilove.svg and api/v3/ilove.svg endpoints. The 'love' query parameter is inserted verbatim into the SVG response without HTML or XML escaping, served with Content-Type image/svg+xml. This allows an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser within the Netdata origin. The endpoints are accessible anonymously by default due to disabled bearer-token protection and HTTP_ACL_NOCHECK registration. The issue was resolved by removing the vulnerable ilove endpoints in version 2.3.1.
Potential Impact
An attacker can execute arbitrary JavaScript in the context of the Netdata instance by tricking a user into visiting a specially crafted URL. This reflected XSS can lead to session hijacking, unauthorized actions, or other client-side attacks within the scope of the Netdata origin. The vulnerability affects default configurations where bearer-token protection is disabled and the endpoints are accessible without authentication.
Mitigation Recommendations
Upgrade Netdata to version 2.3.1 or later, where the vulnerable ilove endpoints have been removed. If upgrading is not immediately possible, restrict access to the api/v2/ilove.svg and api/v3/ilove.svg endpoints or enable bearer-token protection to prevent unauthenticated access. Check the vendor advisory for the latest remediation guidance.
GHSA-rwcv-c3fr-4hrw
Description
Netdata versions before 2.3.1 contain a reflected cross-site scripting (XSS) vulnerability in the api/v2/ilove.svg and api/v3/ilove.svg endpoints. These endpoints reflect the user-supplied 'love' query parameter directly into an SVG document without proper escaping, allowing script injection. The endpoints are accessible without authentication by default, as bearer-token protection is disabled and they are registered with HTTP_ACL_NOCHECK. The vulnerability was fixed by removing the ilove endpoint in version 2.3.1.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Netdata before version 2.3.1 has a reflected XSS vulnerability (CWE-79) in the api/v2/ilove.svg and api/v3/ilove.svg endpoints. The 'love' query parameter is inserted verbatim into the SVG response without HTML or XML escaping, served with Content-Type image/svg+xml. This allows an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser within the Netdata origin. The endpoints are accessible anonymously by default due to disabled bearer-token protection and HTTP_ACL_NOCHECK registration. The issue was resolved by removing the vulnerable ilove endpoints in version 2.3.1.
Potential Impact
An attacker can execute arbitrary JavaScript in the context of the Netdata instance by tricking a user into visiting a specially crafted URL. This reflected XSS can lead to session hijacking, unauthorized actions, or other client-side attacks within the scope of the Netdata origin. The vulnerability affects default configurations where bearer-token protection is disabled and the endpoints are accessible without authentication.
Mitigation Recommendations
Upgrade Netdata to version 2.3.1 or later, where the vulnerable ilove endpoints have been removed. If upgrading is not immediately possible, restrict access to the api/v2/ilove.svg and api/v3/ilove.svg endpoints or enable bearer-token protection to prevent unauthenticated access. Check the vendor advisory for the latest remediation guidance.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-rwcv-c3fr-4hrw
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2025-71385"]
- Ecosystems
- []
- Database Specific Severity
- MODERATE
- Cvss Version
- 4.0
Threat ID: 6a46eca727e9c7971943a492
Added to database: 07/02/2026, 22:56:39 UTC
Last enriched: 07/02/2026, 23:00:45 UTC
Last updated: 07/03/2026, 00:51:22 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.