Summary : Grafana has issued urgent patches to address multiple high-severity vulnerabilities stemming from underlying flaws in the Chromium V8 JavaScript engine.

OEM	Google
Severity	High
CVSS Score	8.1
CVEs	CVE-2025-6554, CVE-2025-5959, CVE-2025-6191 CVE-2025-6192
POC Available	No
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview 

The most critical of these, CVE-2025-6554, is a zero-day vulnerability that was actively exploited in the wild. Several of these bugs, if unpatched, could allow attackers to execute arbitrary code, perform memory corruption or bypass sandbox protections via malicious HTML content.

Grafana users running affected versions of Image Renderer and Synthetic Monitoring Agent are strongly advised to update immediately. 

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
​Type Confusion in V8 Engine vulnerability	CVE-2025-6554	Google Chrome	High	138.0.7204.96/.97 (Windows)   138.0.7204.92/.93 (Mac)   138.0.7204.96 (Linux)
Type Confusion in V8 Engine vulnerability	CVE-2025-5959	Google Chrome	High	137.0.7151.103/.104 (Windows & Mac) 137.0.7151.103 (Linux)
Integer overflow in V8 Engine vulnerability	CVE-2025-6191	Google- Chrome	High	137.0.7151.119/.120 (Windows & Mac) 137.0.7151.119 (Linux)
Use-after-free in Metrics (Profiler) in Google Chrome	CVE-2025-6192	Google- Chrome	High	137.0.7151.119/.120 (Windows & Mac) 137.0.7151.119 (Linux)

Technical Summary 

Grafana has patched four high-severity Chromium V8 vulnerabilities in its Image Renderer and Synthetic Monitoring Agent. The most critical, CVE-2025-6554 is a zero-day type confusion bug that was actively exploited. Other flaws include CVE-2025-5959 (remote code execution), CVE-2025-6191 (integer overflow) and CVE-2025-6192 (use-after-free).

Affected versions are Image Renderer < 3.12.9 and Synthetic Monitoring Agent < 0.38.3. Users should update immediately to stay protected. 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-6554	Chrome on Windows, macOS, Linux	Type confusion in the V8 JavaScript engine allows improper memory handling, leading to code execution	Remote code execution.  Potential system compromise.
CVE-2025-5959	Chrome on Windows, macOS, Linux	Type Confusion in V8 in Google Chrome prior to allowing a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.	Remote code execution.  Potential system compromise.
CVE-2025-6191	Chrome on Windows, macOS, Linux	Integer overflows in V8 in Google Chrome prior to allowing a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.	Arbitrary code execution. Memory Corruption.
CVE-2025-6192	Chrome on Windows, macOS, Linux	Use after free in Metrics in Google Chrome prior to allowing a remote attacker to potentially exploit heap corruption via a crafted HTML page.	Arbitrary code execution.

Remediation: 

• Users should immediately update Google Chrome to the latest patched version: 

• Windows: 138.0.7204.96/.97, 137.0.7151.103/.104, 137.0.7151.119/.120 

• macOS: 138.0.7204.92/.93, 137.0.7151.103/.104, 137.0.7151.119/.120 

• Linux: 138.0.7204.96, 137.0.7151.103, 137.0.7151.119 

Other Chromium-based browsers (Edge, Brave, Opera etc.) should also be updated as patches become available from their respective vendors. 

Conclusion: 
The criticality of CVE-2025-6554, CVE-2025-5959, CVE-2025-6191, CVE-2025-6192 in the wild highlights the urgency of applying the latest Chrome security update.

Type confusion vulnerabilities like this can lead to full system compromise and are highly sought-after by cybercriminals. Users and organizations should take immediate action to mitigate potential risks. 

References: 

• https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html 

• https://www.securityweek.com/grafana-patches-chromium-bugs-including-zero-day-exploited-in-the-wild/ 

• https://intruceptlabs.com/2025/07/google-chrome-zero-day-vulnerability-cve-2025-6554-actively-exploited-patch-now/