The Grafana team has released a critical update that closes four dangerous Chromium vulnerabilities that could be exploited for remote code execution via specially crafted HTML pages. The vulnerabilities affect the Grafana Image Renderer and Synthetic Monitoring Agent, which use headless Chromium to render dashboards. The updates are available now — users are urged to act immediately.
The vulnerabilities were discovered in Chromium’s V8 engine — and while Google has since patched them, Grafana plugins remain vulnerable due to the browser’s native integration. Ethical hacker Alex Chapman has proven the exploit and reported it via a bug bounty program.
Here are the CVEs that the patch closes:
CVE-2025-5959 (8.8 points) — type confusion in V8 → RCE via HTML
CVE-2025-6554 (8.1) — type confusion for memory read/write
CVE-2025-6191 (8.8) — integer overflow → buffer overrun
CVE-2025-6192 (8.8) — use-after-free in Metrics → heap corruption
The following are vulnerable:
Grafana Image Renderer < 3.12.9
Synthetic Monitoring Agent < 0.38.3
These components are widely used in automated reporting, graph rendering in mail, and in cloud and hybrid infrastructures to check system availability.
Grafana Image Renderer is a plugin that generates dashboard images for email reports and external systems. It is officially supported by Grafana Labs, but is not included in the base package, so users must update it manually:
So is the Synthetic Monitoring Agent, which is used to verify SLAs via custom locations:
This incident reminds us: integrating third-party libraries (like Chromium) is not only a convenience, but also a responsibility. Even if the main project has already fixed the bugs, dependent services can remain vulnerable for months. Since Image Renderer is used in millions of installations, the risk of mass exploitation is very high was released. The message is simple: upgrade now.
