
Grafana Labs has issued an urgent security advisory addressing four critical vulnerabilities affecting two of its key components: the Grafana Image Renderer plugin and the Synthetic Monitoring Agent. The vulnerabilities, which stem from security flaws in Chromium, the browser engine used within these components, pose a serious remote code execution (RCE) threat.
“We have released updates for the Grafana Image Renderer plugin and Synthetic Monitoring Agent to address four critical impact vulnerabilities (CVE-2025-5959, CVE-2025-6554, CVE-2025-6191, and CVE-2025-6192),” Grafana stated in the advisory.
All four CVEs are associated with Chromium’s V8 JavaScript engine, a widely used JavaScript engine also found in Google Chrome:
- CVE-2025-5959: A type confusion flaw in V8 allowed attackers to execute arbitrary code inside the sandbox via crafted HTML.
- CVE-2025-6554: Another type confusion bug enabled arbitrary read/write operations via HTML payloads.
- CVE-2025-6191: An integer overflow issue potentially permitted out-of-bounds memory access.
- CVE-2025-6192: A use-after-free bug in the Metrics component of Chrome made heap corruption exploitation possible.
Each vulnerability is rated critical using the CVSS 3.1 methodology due to the potential for full system compromise when exploited.
If you use:
- Grafana Image Renderer versions < 3.12.9
- Synthetic Monitoring Agent versions < 0.38.3
…your installation is vulnerable.
“Users who operate the Grafana Image Renderer plugin or have a local installation of the Synthetic Monitoring Agent are advised to update their systems,” the advisory recommends.
The flaws could be exploited through a crafted HTML page, meaning even opening certain rendered content within Grafana dashboards could potentially open the door to attackers.
Grafana has released patches and installation instructions:
For Grafana Image Renderer:
- Minimum version: 3.12.9
- Plugin install: grafana-cli plugins install grafana-image-renderer
- Docker: docker pull grafana/grafana-image-renderer:3.12.9
For Synthetic Monitoring Agent:
- Minimum version: 0.38.3
- GitHub download: Release v0.38.3
- Docker: docker pull grafana/synthetic-monitoring-agent:v0.38.3-browser
Full patch details and installation documentation are available on Grafana’s official plugin page and synthetic monitoring setup guide.