Grafana security update: Critical severity security release for CVE-2025-5959, CVE-2025-6554, CVE-2025-6191 and CVE-2025-6192 in Grafana Image Renderer plugin and Synthetic Monitoring Agent
We have released updates for the Grafana Image Renderer plugin and Synthetic Monitoring Agent to address four critical impact vulnerabilities (CVE-2025-5959, CVE-2025-6554, CVE-2025-6191, and CVE-2025-6192) found in Chromium, a third-party library. Chromium, a downstream project of the Google Chrome browser, had vulnerabilities that could allowed remote code execution.
Users who operate the Grafana Image Renderer plugin or have a local installation of the Synthetic Monitoring Agent are advised to update their systems. If you are running Grafana Image Renderer < 3.12.9 or the Synthetic Monitoring Agent < 0.38.3 you should update as soon as possible.
Appropriate patches have been applied to Grafana Cloud. As always, we closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They have been notified and have confirmed that their offerings are secure at the time of this announcement. This is applicable to Azure Managed Grafana.
Using the CVSS 3.1 methodology, we have rated this CVE as a critical vulnerability for the Grafana operating environment. As of today, NIST has not yet assigned a score to any of these CVEs, but you can view the status of the CVE in the National Vulnerability Database.
Solutions and mitigations
To remediate this vulnerability, follow the instructions below for your products.
Grafana Image Renderer
Minimum version: 3.12.9
Plugin install: grafana-cli plugins install grafana-image-renderer
Container install: docker pull grafana/grafana-image-renderer:3.12.9
Documentation: https://grafana.com/grafana/plugins/grafana-image-renderer/
Grafana Synthetic Monitoring Agent
Minimum version: 0.38.3
Package download: https://github.com/grafana/synthetic-monitoring-agent/releases/tag/v0.38.3
Container install: docker pull grafana/synthetic-monitoring-agent:v0.38.3-browser
Documentation: https://grafana.com/docs/grafana-cloud/testing/synthetic-monitoring/set-up/set-up-private-probes/
Timeline and post-incident review
Here is a detailed incident timeline starting from when we originally introduced the issue. All times are in UTC.
- 2025/06/11 - Google publish CVE-2025-5959
- 2025/06/18 - 23:58 Bug Bounty report submitted
- 2025/06/18 - Google publish CVE-2025-6191
- 2025/06/18 - Google publish CVE-2025-6192
- 2025/06/19 - 08:37 Bug bounty accepted and received
- 2025/06/19 - 08:56 Updated image renderer published to Github (3.12.8)
- 2025/06/19 - 09:38 Updated image renderer deployed to Grafana Cloud
- 2025/06/19 - 16:35 Updates applied to K6 suite deployed to Grafana Cloud
- 2025/06/24 - 14:21 Updated Synthetic Monitoring agent released (0.38.1)
- 2025/06/30 - Google publish CVE-2025-6554
- 2025/07/01 - 13:08 Freshly Updated Image Render plugin published to GitHub (3.12.9)
- 2025/07/01 - 13:49 Updated image renderer deployed to Grafana Cloud
- 2025/07/01 - 16:12 Updated applied to K6 suit deployed to Grafana Cloud
- 2025/07/02 - 09:41 Updated Synthetic Monitoring agent released (0.38.3)
- 2025/07/02 - 18:00 Blog post published
Acknowledgements
We would like to thank Alex Chapman, who reported the original exploitability of CVE-2025-959 through our bug bounty program.
Reporting security issues
If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.
Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.
You can also read more about our bug bounty program and find out who has made our Security Hall of Fame.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.
