Greffana Labs has addressed four chromium weaknesses in the important security updates for Graffana image render plugin and synthetic monitoring agent.
Although issues affect chromium and were decided by the Open-SOS project two weeks ago, Greffana received a bug bunt submission from the Security Researcher Alex Chapman, which proves their exploitation in the grafana components.
Grafana describes the update as a “significant severity security release” and advises users Apply fix For weaknesses as soon as possible:
Cve-2025-5959 (High-seriousness, 8.8 score)-V8 Type the confusion in JavaScript and webassmbly engine allows remote code execution inside a sandbox that allows a ready HTML page through a ready HTML page.
Cve-2025-6554 (High-seriousness, 8.1 score)-Confusion in V8 enables the attackers to do arbitrary memory to read/write through a malicious HTML page
Cve-2025-6191 (High-witness, 8.8 score)-The integer overflow memory in V8 allows access to access, possibly leading to code execution
Cve-2025-6192 (High-seriousness, 8.8 score) -The free-free vulnerability used in the matrix component of Chrom can be corruption exploited through HTML
Security problems affect the graphna image render versions before 3.12.9 and synthetic monitoring agent versions before 0.38.3.
The graphna image render is a widely deployed plugin in the production environment where automatic dashboard rendering and embeding in third-party systems is important for automatic email reports.
Even though it is not bundled by default in graphna, the plugin is officially maintained by the project and has millions of downloads.
Synthetic monitoring agent is part of the synthetic monitoring of Grafana Cloud, which is used by customers who are required by custom probe locations, low-distinguished, internal nodes from internal nodes and entrepreneurs with hybrid or multi-cloud infrastructure require synthetic trials behind the firwalls.
It is not widely deployed because the image has been provided, but it can still be found in a significant number of high-value environments.
Two components are weak because they include a headless chromium browser to provide dashboard.
To get the latest version of the image, use the command: grafana-cli plugins install grafana-image-rendererFor container installation, use: docker pull grafana/grafana-image-renderer:3.12.9,
Latest synthetic surveillance agent version Can be downloaded from githubFor container upgrade, use: docker pull grafana/synthetic-monitoring-agent:v0.38.3-browser,
Grafana Labs says Grafana Cloud and Azure Managed Grafana Examples have been patches, so users who rely on externally hosted examples do not need to take any action.
Graffana users have not recently shown good reflexes against immediate update notices. Ox Security last month highlighted that more than 46,000 examples remained unsafe for an account acquisition defect with public exploitation, for which the seller issued a fix in May.
Update 7/3- Greffana sent the following comments to Bleepingcomputer:
“Security is a constant and collaborative process, and we once worked quickly to reduce these third-party weaknesses, when they were revealed. As soon as we came to know about the issues related to chromium through our bug bunty program, we update to all the affected, all the affected, who are fully affected, who are fully affected. Take up our responsibilities for the community and our customers. Encourage to do.
While cloud attacks can be more sophisticated, the attackers still succeed with surprisingly simple techniques.
Drawing by the detection of Vij in thousands of organizations, this report reveals the 8 major techniques used by Claude-Floid danger actors.
