CVE-2025-61601
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-09

Last updated on: 2025-10-20

Assigner: GitHub, Inc.

Description
BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's `Choices` response type. By submitting a malicious payload with a massive array in the `answerIds` field, the attacker can cause the current meeting β€” and potentially all meetings on the server β€” to become unresponsive. Version 3.0.13 contains a patch. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-09
Last Modified
2025-10-20
Generated
2026-06-16
AI Q&A
2025-10-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61601
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bigbluebutton bigbluebutton to 3.0.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-61601 is a Denial of Service (DoS) vulnerability in BigBlueButton versions prior to 3.0.13. It occurs in the GraphQL mutation used to submit poll answers, specifically in the `pollSubmitUserVote` operation. An authenticated user can exploit this by submitting a maliciously large array in the `answerIds` field, which the backend fails to properly validate. This causes the current meeting session and potentially the entire BigBlueButton server to freeze or crash, making the service unresponsive. [1, 2]

Impact Analysis

This vulnerability can cause the BigBlueButton server to become unresponsive or crash, disrupting all ongoing meetings and affecting all users on the server. Features like chat, webcam, and other meeting functionalities freeze, resulting in denial of service. Since the attack requires only authenticated access and has low complexity, it can be exploited easily, leading to significant availability impact for users relying on the platform. [2]

Detection Guidance

This vulnerability can be detected by monitoring GraphQL requests to the BigBlueButton server, specifically the `pollSubmitUserVote` mutation. Look for authenticated user requests where the `answerIds` array in the mutation payload contains an unusually large number of entries (hundreds of thousands) or malformed data. Detection can involve intercepting and inspecting GraphQL traffic using tools like Burp Suite or network packet capture utilities. There are no specific commands provided in the resources, but using a proxy or API monitoring tool to filter for `pollSubmitUserVote` requests with large `answerIds` arrays is recommended. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade BigBlueButton to version 3.0.13 or later, which includes a patch that adds strict validation to the `pollSubmitUserVote` GraphQL mutation. This patch limits the maximum number of poll answer IDs to 100 per submission and rejects duplicate entries, preventing the denial of service condition. No workarounds are available, so upgrading is the recommended and effective mitigation. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61601. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart