CVE-2025-61602
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-09

Last updated on: 2025-10-20

Assigner: GitHub, Inc.

Description
BigBlueButton is an open-source virtual classroom. A denial-of-service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to crash the chat functionality for all participants in a meeting by sending a malformed `reactionEmojiId` in the GraphQL mutation `chatSendMessageReaction`. Version 3.0.13 contains a patch. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-09
Last Modified
2025-10-20
Generated
2026-06-16
AI Q&A
2025-10-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61602
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bigbluebutton bigbluebutton to 3.0.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-61602 is a denial-of-service (DoS) vulnerability in BigBlueButton versions prior to 3.0.13. It occurs because the system does not properly validate the 'reactionEmojiId' parameter in the GraphQL mutation 'chatSendMessageReaction'. An authenticated user can send a malformed or invalid 'reactionEmojiId', causing the chat frontend to crash with an error, which disrupts chat functionality for all meeting participants. [1]

Impact Analysis

This vulnerability can cause a complete loss of chat availability during a meeting session, preventing users from reading or sending messages. It disrupts communication for all participants in the meeting. The attack is easy to perform remotely by any authenticated user without special privileges or user interaction. [1]

Detection Guidance

This vulnerability can be detected by monitoring GraphQL mutation traffic for the `chatSendMessageReaction` mutation containing malformed or invalid `reactionEmojiId` values, such as unexpected strings like "grinning123-dos". Since the attack causes the chat frontend to crash with the error "Cannot read properties of undefined (reading 'skins')", checking application logs for this error during meetings can also indicate exploitation attempts. Specific commands depend on your monitoring tools, but for example, using network capture tools like tcpdump or Wireshark to filter GraphQL mutation requests, or searching server logs for the error message, can help detect the issue. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade BigBlueButton to version 3.0.13 or later, which contains the patch removing the vulnerable `reactionEmojiId` parameter and fixes the issue. There are no known workarounds available, so applying the update is necessary to prevent exploitation. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61602. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart