CVE-2025-61601
BaseFortify
Publication date: 2025-10-09
Last updated on: 2025-10-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bigbluebutton | bigbluebutton | to 3.0.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-703 | The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61601 is a Denial of Service (DoS) vulnerability in BigBlueButton versions prior to 3.0.13. It occurs in the GraphQL mutation used to submit poll answers, specifically in the `pollSubmitUserVote` operation. An authenticated user can exploit this by submitting a maliciously large array in the `answerIds` field, which the backend fails to properly validate. This causes the current meeting session and potentially the entire BigBlueButton server to freeze or crash, making the service unresponsive. [1, 2]
How can this vulnerability impact me? :
This vulnerability can cause the BigBlueButton server to become unresponsive or crash, disrupting all ongoing meetings and affecting all users on the server. Features like chat, webcam, and other meeting functionalities freeze, resulting in denial of service. Since the attack requires only authenticated access and has low complexity, it can be exploited easily, leading to significant availability impact for users relying on the platform. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring GraphQL requests to the BigBlueButton server, specifically the `pollSubmitUserVote` mutation. Look for authenticated user requests where the `answerIds` array in the mutation payload contains an unusually large number of entries (hundreds of thousands) or malformed data. Detection can involve intercepting and inspecting GraphQL traffic using tools like Burp Suite or network packet capture utilities. There are no specific commands provided in the resources, but using a proxy or API monitoring tool to filter for `pollSubmitUserVote` requests with large `answerIds` arrays is recommended. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade BigBlueButton to version 3.0.13 or later, which includes a patch that adds strict validation to the `pollSubmitUserVote` GraphQL mutation. This patch limits the maximum number of poll answer IDs to 100 per submission and rejects duplicate entries, preventing the denial of service condition. No workarounds are available, so upgrading is the recommended and effective mitigation. [2, 3]