Grafana Labs has addressed 4 Chromium vulnerabilities in vital safety updates for the Grafana Picture Renderer plugin and Artificial Monitoring Agent.
Though the problems affect Chromium and have been mounted by the open-source challenge two weeks in the past, Grafana acquired a bug bounty submission from safety researcher Alex Chapman proving their exploitability within the Grafana elements.
Grafana describes the replace as a “vital severity safety launch” and advises customers to apply the fixes for the vulnerabilities under as quickly as potential:
CVE-2025-5959 (high-severity, 8.8 rating) – kind confusion bug within the V8 JavaScript and WebAssembly engine permits distant code execution inside a sandbox through a crafted HTML web page
CVE-2025-6554 (high-severity, 8.1 rating) – kind confusion in V8 allows attackers to carry out arbitrary reminiscence learn/write by a malicious HTML web page
CVE-2025-6191 (high-severity, 8.8 rating) – integer overflow in V8 permits out-of-bounds reminiscence entry, doubtlessly resulting in code execution
CVE-2025-6192 (high-severity, 8.8 rating) – use-after-free vulnerability in Chrome’s Metrics part might trigger heap corruption exploitable through crafted HTML
The safety issues affect the Grafana Picture Renderer variations prior to three.12.9, and the Syntentic Monitoring Agent variations earlier than 0.38.3.
The Grafana Picture Renderer is a broadly deployed plugin in manufacturing environments the place automated dashboard rendering for scheduled e-mail studies and embedding in third-party techniques is essential.
Regardless that it isn’t bundled by default in Grafana, the plugin is formally maintained by the challenge and has hundreds of thousands of downloads.
The Artificial Monitoring Agent is a part of Grafana Cloud’s Artificial Monitoring, utilized by clients who want customized probe places, low-latency, high-visibility checks from inner nodes, and enterprises with hybrid or multi-cloud infrastructure needing artificial exams behind firewalls.
It’s not as broadly deployed because the Picture Rendered, however it will possibly nonetheless be present in a major variety of high-value environments.
The 2 elements are vulnerbale as a result of they embrace a headless Chromium browser for rendering dashboards.
To get the newest model of the Picture Rendered plugin, use the command: grafana-cli plugins set up grafana-image-renderer. For container installations, use: docker pull grafana/grafana-image-renderer:3.12.9.
The most recent Artificial Monitoring Agent model will be downloaded from GitHub. For container improve, use: docker pull grafana/synthetic-monitoring-agent:v0.38.3-browser.
Grafana Labs says that Grafana Cloud and Azure Managed Grafana situations have been patched, so customers counting on externally hosted situations do not should take any motion.
Grafana customers haven’t proven good reflexes towards pressing replace notices just lately. Ox Safety highlighted final month that over 46,000 situations remained susceptible to an account takeover flaw with public exploit for which the seller launched fixes in Might.
Replace 7/3- Grafana despatched BleepingComputer the next remark:
“Safety is a steady and collaborative course of, and we acted shortly to mitigate these third-party vulnerabilities as soon as they have been disclosed. As quickly as we have been made conscious of the Chromium-related points through our bug bounty program, we prioritized updates to impacted elements, issued patches to all affected Grafana Cloud companies, and labored intently with our managed service companions to make sure full protection. Whereas these CVEs originate within the Chromium library, we take our duty to the group and our clients significantly and encourage all customers to replace instantly.” – Joe McManus, CISO, Grafana Labs
Whereas cloud assaults could also be rising extra refined, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout hundreds of organizations, this report reveals 8 key methods utilized by cloud-fluent menace actors.
