Grafana Labs has released urgent security updates for its widely used Image Renderer plugin and Synthetic Monitoring Agent after critical vulnerabilities stemming from Chromium were found exploitable within its components. These vulnerabilities could allow attackers to execute arbitrary code, read and write memory, or corrupt system memory through malicious HTML content.
The company labeled this a “critical severity security release”, urging all self-hosted users to patch their systems immediately. Managed Grafana Cloud and Azure-hosted services have already been updated.
Four Chromium Vulnerabilities Found in Grafana Components
The vulnerabilities were disclosed through Grafana’s bug bounty program by security researcher Alex Chapman, who demonstrated their exploitability inside the Grafana environment. While the root cause lies in Chromium—already patched upstream—Grafana components that embed a headless Chromium browser for rendering dashboards remained vulnerable.
The affected vulnerabilities include:
- CVE-2025-5959 (CVSS 8.8): Type confusion in the V8 engine allowing sandbox escape and remote code execution via crafted HTML.
- CVE-2025-6554 (CVSS 8.1): Type confusion in V8 permitting arbitrary memory operations.
- CVE-2025-6191 (CVSS 8.8): Integer overflow leading to out-of-bounds memory access.
- CVE-2025-6192 (CVSS 8.8): Use-after-free flaw in Chrome’s Metrics component resulting in potential heap corruption.
These flaws affect:
- Grafana Image Renderer versions < 3.12.9
- Synthetic Monitoring Agent versions < 0.38.3
Plugin Widely Deployed in Production Dashboards
The Image Renderer plugin, although not bundled by default, is used heavily in enterprise setups for automating dashboard screenshots, embedding visuals into third-party systems, and scheduling reports. Its exposure to untrusted content makes it a high-risk component if left unpatched.
Meanwhile, the Synthetic Monitoring Agent, while less broadly deployed, is often used in hybrid environments and behind firewalls to perform internal synthetic checks. Its role in enterprise observability makes it a key target for exploitation in high-value networks.
“Security is a continuous and collaborative process, and we acted quickly to mitigate these third-party vulnerabilities once they were disclosed,” said Joe McManus, CISO at Grafana Labs.
He added that updates were prioritized across cloud services and shared with service partners to ensure full protection.
Patching Instructions and Upgrade Paths
To update, Grafana users can:
- For Image Renderer:
grafana-cli plugins install grafana-image-renderer
Or pull container:docker pull grafana/grafana-image-renderer:3.12.9 - For Synthetic Monitoring Agent:
Download from GitHub or run:docker pull grafana/synthetic-monitoring-agent:v0.38.3-browser
Grafana also noted that external-facing services such as Grafana Cloud and Azure Managed Grafana are already secured, requiring no action from those users.
Still, there’s concern over lagging user response to security notices. Recent findings by Ox Security revealed that over 46,000 Grafana instances remained vulnerable to a critical account takeover flaw even weeks after patches had been released.
For enterprises relying on third-party rendering or monitoring agents embedded deep within workflows, delays in patching components like these can expose operational dashboards, reporting systems, or internal telemetry to significant compromise. When even visualization plugins become attack surfaces, having rapid recovery options becomes indispensable.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
