CVE-2025-61601
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's Choices response type. By submitting a malicious payload with a massive array in the answerIds field, the attacker can cause the current meeting — and potentially all meetings on the server — to become unresponsive. Version 3.0.13 contains a patch. No known workarounds are available.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| bigbluebutton | bigbluebutton | < 3.0.13 | affected |
Weaknesses
- CWE-703: CWE-703: Improper Check or Handling of Exceptional Conditions
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
Additional References
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-73j3-v3fq-fqx5
- https://www.youtube.com/watch?v=BwROSVIYjOY
References
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-73j3-v3fq-fqx5
- https://github.com/bigbluebutton/bigbluebutton/pull/23662
- https://www.youtube.com/watch?v=BwROSVIYjOY
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.