SecurityWeek reports that updates have been released by Grafana to resolve a quartet of high-severity flaws impacting its Image Renderer plugin and Synthetic Monitoring Agent's Chromium library.
Most crucial of the vulnerabilities is the actively exploited Chrome V8 JavaScript engine type confusion zero-day, tracked as CVE-2025-6554, which could be leveraged for arbitrary read/write operations. Also addressed were the V8 engine type confusion issue, tracked as CVE-2025-5959, which could be exploited for arbitrary code execution; the V8 engine integer overflow defect, tracked as CVE-2025-6191, which could be abused for out-of-bounds memory access; and the Chrome Profiler use-after-free defect, tracked as CVE-2025-6192, which could be utilized for heap corruption. All users of Grafana Image Renderer versions prior to 3.12.9 and Synthetic Monitoring Agent releases before 0.38.3 have been urged to immediately upgrade to the fixed versions of their respective software. Such a development comes after all of the said flaws were fixed in Google Chrome for Windows, macOS, and Linux.
Most crucial of the vulnerabilities is the actively exploited Chrome V8 JavaScript engine type confusion zero-day, tracked as CVE-2025-6554, which could be leveraged for arbitrary read/write operations. Also addressed were the V8 engine type confusion issue, tracked as CVE-2025-5959, which could be exploited for arbitrary code execution; the V8 engine integer overflow defect, tracked as CVE-2025-6191, which could be abused for out-of-bounds memory access; and the Chrome Profiler use-after-free defect, tracked as CVE-2025-6192, which could be utilized for heap corruption. All users of Grafana Image Renderer versions prior to 3.12.9 and Synthetic Monitoring Agent releases before 0.38.3 have been urged to immediately upgrade to the fixed versions of their respective software. Such a development comes after all of the said flaws were fixed in Google Chrome for Windows, macOS, and Linux.
