Grafana Labs has addressed 4 Chromium vulnerabilities in important safety updates for the Grafana Picture Renderer plugin and Artificial Monitoring Agent.
Though the problems affect Chromium and had been fastened by the open-source mission two weeks in the past, Grafana obtained a bug bounty submission from safety researcher Alex Chapman proving their exploitability within the Grafana parts.
Grafana describes the replace as a “important severity safety launch” and advises customers to apply the fixes for the vulnerabilities under as quickly as doable:
CVE-2025-5959 (high-severity, 8.8 rating) – sort confusion bug within the V8 JavaScript and WebAssembly engine permits distant code execution inside a sandbox by way of a crafted HTML web page
CVE-2025-6554 (high-severity, 8.1 rating) – sort confusion in V8 permits attackers to carry out arbitrary reminiscence learn/write by means of a malicious HTML web page
CVE-2025-6191 (high-severity, 8.8 rating) – integer overflow in V8 permits out-of-bounds reminiscence entry, doubtlessly resulting in code execution
CVE-2025-6192 (high-severity, 8.8 rating) – use-after-free vulnerability in Chrome’s Metrics part might trigger heap corruption exploitable by way of crafted HTML
The safety issues affect the Grafana Picture Renderer variations prior to three.12.9, and the Syntentic Monitoring Agent variations earlier than 0.38.3.
The Grafana Picture Renderer is a broadly deployed plugin in manufacturing environments the place automated dashboard rendering for scheduled electronic mail studies and embedding in third-party techniques is essential.
Although it’s not bundled by default in Grafana, the plugin is formally maintained by the mission and has hundreds of thousands of downloads.
The Artificial Monitoring Agent is a part of Grafana Cloud’s Artificial Monitoring, utilized by clients who want customized probe areas, low-latency, high-visibility checks from inner nodes, and enterprises with hybrid or multi-cloud infrastructure needing artificial checks behind firewalls.
It isn’t as broadly deployed because the Picture Rendered, however it will probably nonetheless be present in a big variety of high-value environments.
The 2 parts are vulnerbale as a result of they embrace a headless Chromium browser for rendering dashboards.
To get the most recent model of the Picture Rendered plugin, use the command: grafana-cli plugins set up grafana-image-renderer. For container installations, use: docker pull grafana/grafana-image-renderer:3.12.9.
The most recent Artificial Monitoring Agent model might be downloaded from GitHub. For container improve, use: docker pull grafana/synthetic-monitoring-agent:v0.38.3-browser.
Grafana Labs says that Grafana Cloud and Azure Managed Grafana cases have been patched, so customers counting on externally hosted cases do not should take any motion.
Grafana customers haven’t proven good reflexes in opposition to pressing replace notices not too long ago. Ox Safety highlighted final month that over 46,000 cases remained weak to an account takeover flaw with public exploit for which the seller launched fixes in Might.
Whereas cloud assaults could also be rising extra refined, attackers nonetheless succeed with surprisingly easy strategies.
Drawing from Wiz’s detections throughout hundreds of organizations, this report reveals 8 key strategies utilized by cloud-fluent menace actors.
