Grafana Labs has addressed 4 Chromium vulnerabilities in important security updates for the Grafana Picture Renderer plugin and Artificial Monitoring Agent.
Though the problems influence Chromium and had been fastened by the open-source undertaking two weeks in the past, Grafana obtained a bug bounty submission from security researcher Alex Chapman proving their exploitability within the Grafana elements.
Grafana describes the replace as a “important severity security launch” and advises customers to use the fixes for the vulnerabilities under as quickly as potential:
CVE-2025-5959 (high-severity, 8.8 rating) – kind confusion bug within the V8 JavaScript and WebAssembly engine permits distant code execution inside a sandbox through a crafted HTML web page
CVE-2025-6554 (high-severity, 8.1 rating) – kind confusion in V8 allows attackers to carry out arbitrary reminiscence learn/write by way of a malicious HTML web page
CVE-2025-6191 (high-severity, 8.8 rating) – integer overflow in V8 permits out-of-bounds reminiscence entry, doubtlessly resulting in code execution
CVE-2025-6192 (high-severity, 8.8 rating) – use-after-free vulnerability in Chrome’s Metrics element might trigger heap corruption exploitable through crafted HTML
The security issues influence the Grafana Picture Renderer variations prior to three.12.9, and the Syntentic Monitoring Agent variations earlier than 0.38.3.
The Grafana Picture Renderer is a extensively deployed plugin in manufacturing environments the place automated dashboard rendering for scheduled electronic mail studies and embedding in third-party programs is essential.
Regardless that it’s not bundled by default in Grafana, the plugin is formally maintained by the undertaking and has tens of millions of downloads.
The Artificial Monitoring Agent is a part of Grafana Cloud’s Artificial Monitoring, utilized by clients who want customized probe places, low-latency, high-visibility checks from inner nodes, and enterprises with hybrid or multi-cloud infrastructure needing artificial assessments behind firewalls.
It’s not as extensively deployed because the Picture Rendered, however it may nonetheless be present in a big variety of high-value environments.
The 2 elements are vulnerbale as a result of they embody a headless Chromium browser for rendering dashboards.
To get the newest model of the Picture Rendered plugin, use the command: grafana-cli plugins set up grafana-image-renderer. For container installations, use: docker pull grafana/grafana-image-renderer:3.12.9.
The most recent Artificial Monitoring Agent model may be downloaded from GitHub. For container improve, use: docker pull grafana/synthetic-monitoring-agent:v0.38.3-browser.
Grafana Labs says that Grafana Cloud and Azure Managed Grafana cases have been patched, so customers counting on externally hosted cases do not must take any motion.
Grafana customers haven’t proven good reflexes towards pressing replace notices just lately. Ox Safety highlighted final month that over 46,000 cases remained susceptible to an account takeover flaw with public exploit for which the seller launched fixes in Could.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy strategies.
Drawing from Wiz’s detections throughout 1000’s of organizations, this report reveals 8 key strategies utilized by cloud-fluent menace actors.
