CVE-2025-61601

Published: Oct 9, 2025Modified: Oct 20, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's `Choices` response type. By submitting a malicious payload with a massive array in the `answerIds` field, the attacker can cause the current meeting — and potentially all meetings on the server — to become unresponsive. Version 3.0.13 contains a patch. No known workarounds are available.

Affected (1)

Products: Bigbluebutton: Bigbluebutton

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Bigbluebutton Bigbluebutton	Before 3.0.13

Related CWEs

Improper Check or Handling of Exceptional Conditions

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

References (5)

https://github.com/bigbluebutton/bigbluebutton/pull/23662

Source: security-advisories@github.com

Issue TrackingPatch

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-73j3-v3fq-fqx5

Source: security-advisories@github.com

ExploitVendor Advisory

https://www.youtube.com/watch?v=BwROSVIYjOY

Source: security-advisories@github.com

Exploit

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-73j3-v3fq-fqx5

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitVendor Advisory

https://www.youtube.com/watch?v=BwROSVIYjOY

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Exploit

Timeline

No history available yet.