Grafana Labs has just released an emergency security patch for two key components, the Image Renderer plugin and the Synthetic Monitoring Agent, after discovering four serious vulnerabilities exist in the Chromium library integrated inside these components. Although the aforementioned vulnerabilities have been remedied by the Chromium team in advance, they are still likely to be exploited in the Grafana environment due to the way the plugins use Chromium in headless mode. This discovery was made by security researcher Alex Chapman through a bug bounty program, forcing Grafana Labs to quickly release an update to minimize user risk.
The four security vulnerabilities identified were all of high severity, with CVSS scores ranging from 8.1 to 8.8. Specifically, CVE-2025-5959 and CVZ-2554 are type errors in Chromium’s JavaScript engine V8. These vulnerabilities may allow the attacker to execute code remotely or perform arbitrary memory read-and-write operations through processing a specially designed HTML page. Meanwhile, CVE-2025-6191 involved an integer overflow error in V8, which could have resulted in valid extra-memory access. Finally, CVE-2025-6192 is a use-after-free error in the Chrome Metrics component, causing a heap error when handling malicious HTML content. All of these errors can be used to damage memory or gain control of the rendering process.
The two components directly affected were Image Renderer (pre-3.12.9 versions) and Synthetic Monitoring Agent (previous 0.38.3 versions). Image Renderer is a very popular plugin in practical implementations of Grafana systems, used to convert the dashboard into an image to serve reporting, sharing, or embedding in external applications. Although this plugin is not installed by default, it has logged millions of downloads and appears in a wide variety of production environments. Meanwhile, the Synthetic Monitoring Agent is used primarily in the Grafana Cloud to perform performance and readiness tests from various network locations across the globe. Although less common, this component is usually implemented in high-value systems that require large reliability.
What the two components have in common is that they both incorporate Chromium in headless mode to render HTML content. It is the reliance on a complex browser engine such as Chromium that has caused these plugins to be directly affected when Chromium has a security flaw. In exploited scenarios, the attacker can provide malicious HTML content to trigger errors in V8 or related modules, thereby causing code execution or memory corruption in Grafana’s render process.
In light of this level of risk, Grafana Labs recommends that users need to update affected components immediately. For Image Renderer and Synthetic Monitoring Agent, users can perform updates via grafana-cli or drag the latest Docker images corresponding to the patched version, including Image Renderers 3.12.9 and Synthetic Tracking Agent 0.38.3-browser. For users of Grafana Cloud and Azure Managed grafana, Grafanas confirmed that the system had been patched automatically, thus no further manual actions were needed.
This incident again highlighted the potential risk of systems relying on high-complexity external components such as Chromium. Even if the application core is well secured, a delayed plugin update can become a weak link, paving the way for attacks deep into the entire surveillance infrastructure. In the context of Grafana being typically deployed in the central location of the observation and operation system, ensuring that plugins and dependencies are patched in time is essential to avoid serious security consequences.
