After upgrading grafana-image-renderer to the newest version 4.0.17 there is an error:
Error obtaining render: 500 Internal Server Error
In grafana.log there is an error:
logger=rendering renderer=plugin t=2025-10-10T14:00:21.431365764+02:00 level=error msg="Failed to render image" path="d-solo/dhcxx-0Wz/_?from=now-1d%2Fd&height=360&panelId=11&theme=light&to=now-1d%2Fd&var-Datenbank=dbserver-inst7-DB1&width=480" error="rendering failed: Error: File path should not include directories"
logger=context userId=6 orgId=2 uname=sa-autogen-2-icinga2 t=2025-10-10T14:00:21.455822338+02:00 level=error msg="Rendering failed." error="rendering failed: Error: File path should not include directories"
logger=context userId=6 orgId=2 uname=sa-autogen-2-icinga2 t=2025-10-10T14:00:21.456795833+02:00 level=error msg="Request error" error="Context.HTML - Error rendering template: error. You may need to build frontend assets \n template: error:16:42: executing "error" at <.Assets.Dark>: can't evaluate field Assets in type struct { Title string; AppTitle string; AppSubUrl string; ThemeType string; ErrorMsg error }"
Since in the logs there is a "File Path", the cause of the error could be the correction of CVE-2025-11539 in grafana-image-renderer to 4.0.7:
Summary
Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then loaded by the Chromium process.
With grafana-image-renderer 3.12.6 and 4.0.16 there are no problems.
After upgrading grafana-image-renderer to the newest version 4.0.17 there is an error:
Error obtaining render: 500 Internal Server Error
In grafana.log there is an error:
logger=rendering renderer=plugin t=2025-10-10T14:00:21.431365764+02:00 level=error msg="Failed to render image" path="d-solo/dhcxx-0Wz/_?from=now-1d%2Fd&height=360&panelId=11&theme=light&to=now-1d%2Fd&var-Datenbank=dbserver-inst7-DB1&width=480" error="rendering failed: Error: File path should not include directories"
logger=context userId=6 orgId=2 uname=sa-autogen-2-icinga2 t=2025-10-10T14:00:21.455822338+02:00 level=error msg="Rendering failed." error="rendering failed: Error: File path should not include directories"
logger=context userId=6 orgId=2 uname=sa-autogen-2-icinga2 t=2025-10-10T14:00:21.456795833+02:00 level=error msg="Request error" error="Context.HTML - Error rendering template: error. You may need to build frontend assets \n template: error:16:42: executing "error" at <.Assets.Dark>: can't evaluate field Assets in type struct { Title string; AppTitle string; AppSubUrl string; ThemeType string; ErrorMsg error }"
Since in the logs there is a "File Path", the cause of the error could be the correction of CVE-2025-11539 in grafana-image-renderer to 4.0.7:
Summary
Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then loaded by the Chromium process.
With grafana-image-renderer 3.12.6 and 4.0.16 there are no problems.