google/puppeteer Vulnerabilities

[kvaghasia]

AWS Inspector in GovCloud has reported the following vulnerabilities for the image docker.io/grafana/grafana-image-renderer with tags: 3.12.1, 3.12.2, 3.12.3, 3.12.4. This image is running on AWS ECS services.

The identified vulnerabilities are categorized as Critical, High, and Medium:

Critical Vulnerabilities:

CVE-2024-9369 - google/puppeteer
CVE-2024-7971 - google/puppeteer

High Vulnerabilities:

CVE-2025-0291 - google/puppeteer
CVE-2024-8638 - google/puppeteer
CVE-2024-7025 - google/puppeteer
CVE-2024-9954 - google/puppeteer
CVE-2024-8904 - google/puppeteer
CVE-2024-7534 - google/puppeteer
CVE-2024-12695 - google/puppeteer
CVE-2024-7965 - google/puppeteer
CVE-2024-9959 - google/puppeteer
CVE-2024-7023 - google/puppeteer
CVE-2024-12381 - google/puppeteer
CVE-2025-0437 - google/puppeteer
CVE-2024-8193 - google/puppeteer
CVE-2024-8194 - google/puppeteer
CVE-2024-8198 - google/puppeteer
CVE-2024-9955 - google/puppeteer
CVE-2024-7967 - google/puppeteer
CVE-2024-7532 - google/puppeteer
CVE-2024-12693 - google/puppeteer
CVE-2024-8636 - google/puppeteer
CVE-2024-9602 - google/puppeteer
CVE-2024-9603 - google/puppeteer
CVE-2024-9122 - google/puppeteer
CVE-2024-10488 - google/puppeteer
CVE-2024-7536 - google/puppeteer
CVE-2024-11113 - google/puppeteer
CVE-2025-27113 - libxml2
CVE-2024-12382 - google/puppeteer
CVE-2024-10229 - google/puppeteer
CVE-2024-10230 - google/puppeteer
CVE-2024-10231 - google/puppeteer
CVE-2024-7970 - google/puppeteer
CVE-2024-7974 - google/puppeteer
CVE-2024-7973 - google/puppeteer
CVE-2024-7968 - google/puppeteer
CVE-2024-10487 - google/puppeteer
CVE-2024-10827 - google/puppeteer
CVE-2024-7550 - google/puppeteer
CVE-2024-7969 - google/puppeteer
CVE-2024-9121 - google/puppeteer
CVE-2024-12053 - google/puppeteer
CVE-2024-9123 - google/puppeteer
CVE-2024-12694 - google/puppeteer
CVE-2024-7966 - google/puppeteer
CVE-2024-7535 - google/puppeteer
CVE-2024-8362 - google/puppeteer
CVE-2024-7972 - google/puppeteer
CVE-2024-9960 - google/puppeteer
CVE-2024-12692 - google/puppeteer
CVE-2024-8905 - google/puppeteer

Medium Vulnerabilities:

CVE-2024-8908 - google/puppeteer
CVE-2024-11117 - google/puppeteer
CVE-2024-7976 - google/puppeteer
CVE-2024-8906 - google/puppeteer
CVE-2024-11403 - libjxl
CVE-2024-7981 - google/puppeteer
CVE-2024-7975 - google/puppeteer
CVE-2011-1802 - google/puppeteer
CVE-2024-9964 - google/puppeteer
CVE-2024-7978 - google/puppeteer
CVE-2024-11111 - google/puppeteer
CVE-2024-11498 - libjxl
CVE-2024-9958 - google/puppeteer
CVE-2024-11116 - google/puppeteer
CVE-2024-9962 - google/puppeteer
CVE-2011-1803 - google/puppeteer
CVE-2024-11110 - google/puppeteer
CVE-2024-9963 - google/puppeteer
CVE-2024-9966 - google/puppeteer

Given the number of vulnerabilities reported, could you please provide a timeline for when these issues are expected to be addressed?

Thank you for your attention to this matter, and I appreciate your prompt response.

[evictorero]

Hi @kvaghasia What is the Chrome version the scanner is using? We run scanners in our services and these CVEs are not present.
For example, the latest version you mention, 3.12.4, is running Chrome/134.0.6998.117. I've checked a few CVEs you shared, and they are all related to an older Chrome version.
There is also a new version if you want to check.

[kvaghasia]

Hi @evictorero Thank you for your reply. I pulled "docker pull --platform linux/amd64 grafana/grafana-image-renderer:3.12.5" and pushed new version to AWS ECR. AWS Inspector is reporting following vulnerabilities for the new version.

Critical Vulnerabilities:
CVE-2024-7971 - google/puppeteer
CVE-2024-9369 - google/puppeteer

High Vulnerabilities:
CVE-2024-7974 - google/puppeteer
CVE-2024-8904 - google/puppeteer
CVE-2025-0762 - google/puppeteer
CVE-2024-10230 - google/puppeteer
CVE-2025-0438 - google/puppeteer
CVE-2025-0436 - google/puppeteer
CVE-2025-2137 - google/puppeteer
CVE-2024-12381 - google/puppeteer
CVE-2024-7025 - google/puppeteer
CVE-2025-0437 - google/puppeteer
CVE-2025-2135 - google/puppeteer
CVE-2025-0611 - google/puppeteer
CVE-2024-10231 - google/puppeteer
CVE-2024-10827 - google/puppeteer
CVE-2024-9954 - google/puppeteer
CVE-2024-12692 - google/puppeteer
CVE-2024-11395 - google/puppeteer
CVE-2025-3066 - google/puppeteer
CVE-2024-12693 - google/puppeteer
CVE-2024-9603 - google/puppeteer
CVE-2025-1920 - google/puppeteer
CVE-2025-0291 - google/puppeteer
CVE-2025-0997 - google/puppeteer
CVE-2024-7536 - google/puppeteer
CVE-2025-0443 - google/puppeteer
CVE-2024-9122 - google/puppeteer
CVE-2024-8194 - google/puppeteer
CVE-2025-1006 - google/puppeteer
CVE-2025-2476 - google/puppeteer
CVE-2025-1919 - google/puppeteer
CVE-2024-12053 - google/puppeteer
CVE-2024-11113 - google/puppeteer
CVE-2024-12695 - google/puppeteer
CVE-2024-9121 - google/puppeteer
CVE-2024-8193 - google/puppeteer
CVE-2025-0995 - google/puppeteer
CVE-2024-7970 - google/puppeteer
CVE-2024-9959 - google/puppeteer
CVE-2024-7965 - google/puppeteer
CVE-2024-9955 - google/puppeteer
CVE-2025-1914 - google/puppeteer
CVE-2024-8198 - google/puppeteer
CVE-2024-8905 - google/puppeteer
CVE-2024-8362 - google/puppeteer
CVE-2025-0447 - google/puppeteer
CVE-2024-10487 - google/puppeteer
CVE-2024-7972 - google/puppeteer
CVE-2025-3069 - google/puppeteer
CVE-2024-10229 - google/puppeteer
CVE-2025-0612 - google/puppeteer
CVE-2024-7023 - google/puppeteer
CVE-2025-2136 - google/puppeteer
CVE-2024-12694 - google/puppeteer
CVE-2024-7534 - google/puppeteer
CVE-2024-9123 - google/puppeteer
CVE-2024-7550 - google/puppeteer
CVE-2024-9960 - google/puppeteer
CVE-2025-3620 - google/puppeteer
CVE-2025-1918 - google/puppeteer
CVE-2024-7969 - google/puppeteer
CVE-2024-10488 - google/puppeteer
CVE-2025-0999 - google/puppeteer
CVE-2024-9602 - google/puppeteer
CVE-2024-7535 - google/puppeteer
CVE-2024-7973 - google/puppeteer
CVE-2024-7967 - google/puppeteer
CVE-2024-7966 - google/puppeteer
CVE-2025-1916 - google/puppeteer
CVE-2024-7968 - google/puppeteer
CVE-2024-12382 - google/puppeteer
CVE-2024-8636 - google/puppeteer
CVE-2024-8638 - google/puppeteer
CVE-2025-0434 - google/puppeteer
CVE-2024-7532 - google/puppeteer

Medium Vulnerabilities:
CVE-2024-9966 - google/puppeteer
CVE-2024-9963 - google/puppeteer
CVE-2025-3070 - google/puppeteer
CVE-2024-11116 - google/puppeteer
CVE-2025-0444 - google/puppeteer
CVE-2024-7981 - google/puppeteer
CVE-2024-11117 - google/puppeteer
CVE-2024-9958 - google/puppeteer
CVE-2024-11110 - google/puppeteer
CVE-2024-7976 - google/puppeteer
CVE-2025-0441 - google/puppeteer
CVE-2025-0439 - google/puppeteer
CVE-2025-0445 - google/puppeteer
CVE-2025-3071 - google/puppeteer
CVE-2024-7978 - google/puppeteer
CVE-2025-3073 - google/puppeteer
CVE-2011-1803 - google/puppeteer
CVE-2011-1802 - google/puppeteer
CVE-2025-3074 - google/puppeteer
CVE-2024-11111 - google/puppeteer
CVE-2025-1923 - google/puppeteer
CVE-2025-0442 - google/puppeteer
CVE-2024-9964 - google/puppeteer
CVE-2024-7975 - google/puppeteer
CVE-2025-0446 - google/puppeteer
CVE-2025-0448 - google/puppeteer
CVE-2024-9962 - google/puppeteer
CVE-2024-8906 - google/puppeteer
CVE-2024-8908 - google/puppeteer
CVE-2025-0451 - google/puppeteer
CVE-2025-1921 - google/puppeteer
CVE-2025-3072 - google/puppeteer

Would you be able to check image in AWS Inspector on your end ?

Thank you

Keyur

[evictorero]

I can't check it in AWS but I can confirm Grafana image renderer is using Chrome 135.0.7049.95 and the flagged versions in this list are related to an older Chrome.

[kvaghasia]

Hello @evictorero

We reached out to AWS support and they reviewed these Inspector findings further. Upon a deeper inspection of the docker.io/grafana/grafana-image-renderer image, they were able to confirm that Google Puppeteer was installed to this image as version 22.15.0. This artifact can be found in /usr/src/app/node_modules/puppeteer/package.json. As per the Puppeteer documentation, [0], Puppeteer version 22.15.0 is mapped to Google Chrome version 127.0.6533.88, which is vulnerable to these CVEs.

They recommended creating a new image once the Chrome version has been updated.

Puppeteer version 22.15.0 : https://pptr.dev/supported-browsers

Thank you

[AgnesToulet]

It's true that we are using Puppeteer 22.15.0 but we don't use it to download chromium in the Docker image as you can see here and there (also we don't use Chrome for Testing but chromium).

So these are false positives that only check the Puppeteer version instead of the real chromium installation.

[kvaghasia]

Hello,

As mentioned earlier, we are using image as-is downloaded from docker.io.

Below are comments from AWS Support :

Our service team confirmed that Amazon Inspector identifies vulnerabilities by examining the installed packages in your environment, including dependencies. When Inspector detects Puppeteer 22.15.0, it associates this with Chrome version 127.0.6533.88 based on Puppeteer's documented version mappings, which is why these CVEs are being flagged.

Based on the information provided, it appears the vendor has implemented a custom configuration where they've specified a different Chromium installation rather than using Puppeteer's bundled Chrome version by leveraging environment variable PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true. However, Amazon Inspector cannot definitively determine whether the bundled vulnerable Chrome version has been downloaded into the container or completely bypassed through this custom configuration.

To troubleshoot these issues further, we would recommend confirming the following:

• Verify the exact Chromium version running in your environment.
• Confirm whether Puppeteer's installation process still downloaded its associated Chrome version, even if unused.
• Assess whether the custom Chromium implementation mitigates the specific vulnerabilities identified.

Would you be able to assist with providing information for the above ask?

Thank you