Grafana Labs has addressed 4 Chromium vulnerabilities in crucial safety updates for the Grafana Picture Renderer plugin and Artificial Monitoring Agent.
Though the problems influence Chromium and have been mounted by the open-source undertaking two weeks in the past, Grafana obtained a bug bounty submission from safety researcher Alex Chapman proving their exploitability within the Grafana parts.
Grafana describes the replace as a “crucial severity safety launch” and advises customers to apply the fixes for the vulnerabilities under as quickly as attainable:
CVE-2025-5959 (high-severity, 8.8 rating) â sort confusion bug within the V8 JavaScript and WebAssembly engine permits distant code execution inside a sandbox by way of a crafted HTML web page
CVE-2025-6554 (high-severity, 8.1 rating) â sort confusion in V8 allows attackers to carry out arbitrary reminiscence learn/write by way of a malicious HTML web page
CVE-2025-6191 (high-severity, 8.8 rating) â integer overflow in V8 permits out-of-bounds reminiscence entry, doubtlessly resulting in code execution
CVE-2025-6192Â (high-severity, 8.8 rating) â use-after-free vulnerability in Chrome’s Metrics element might trigger heap corruption exploitable by way of crafted HTML
The safety issues influence the Grafana Picture Renderer variations prior to three.12.9, and the Syntentic Monitoring Agent variations earlier than 0.38.3.
The Grafana Picture Renderer is a broadly deployed plugin in manufacturing environments the place automated dashboard rendering for scheduled electronic mail reviews and embedding in third-party techniques is essential.
Though it isn’t bundled by default in Grafana, the plugin is formally maintained by the undertaking and has hundreds of thousands of downloads.
The Artificial Monitoring Agent is a part of Grafana Cloud’s Artificial Monitoring, utilized by prospects who want customized probe places, low-latency, high-visibility checks from inside nodes, and enterprises with hybrid or multi-cloud infrastructure needing artificial exams behind firewalls.
It’s not as broadly deployed because the Picture Rendered, however it might probably nonetheless be present in a big variety of high-value environments.
The 2 parts are vulnerbale as a result of they embrace a headless Chromium browser for rendering dashboards.
To get the most recent model of the Picture Rendered plugin, use the command: grafana-cli plugins set up grafana-image-renderer. For container installations, use: docker pull grafana/grafana-image-renderer:3.12.9.
The most recent Artificial Monitoring Agent model might be downloaded from GitHub. For container improve, use: docker pull grafana/synthetic-monitoring-agent:v0.38.3-browser.
Grafana Labs says that Grafana Cloud and Azure Managed Grafana situations have been patched, so customers counting on externally hosted situations do not must take any motion.
Grafana customers haven’t proven good reflexes in opposition to pressing replace notices not too long ago. Ox Safety highlighted final month that over 46,000 situations remained weak to an account takeover flaw with public exploit for which the seller launched fixes in Might.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout 1000’s of organizations, this report reveals 8 key methods utilized by cloud-fluent risk actors.
