CVE-2025-61602
BaseFortify
Publication date: 2025-10-09
Last updated on: 2025-10-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bigbluebutton | bigbluebutton | to 3.0.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-703 | The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61602 is a denial-of-service (DoS) vulnerability in BigBlueButton versions prior to 3.0.13. It occurs because the system does not properly validate the 'reactionEmojiId' parameter in the GraphQL mutation 'chatSendMessageReaction'. An authenticated user can send a malformed or invalid 'reactionEmojiId', causing the chat frontend to crash with an error, which disrupts chat functionality for all meeting participants. [1]
How can this vulnerability impact me? :
This vulnerability can cause a complete loss of chat availability during a meeting session, preventing users from reading or sending messages. It disrupts communication for all participants in the meeting. The attack is easy to perform remotely by any authenticated user without special privileges or user interaction. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring GraphQL mutation traffic for the `chatSendMessageReaction` mutation containing malformed or invalid `reactionEmojiId` values, such as unexpected strings like "grinning123-dos". Since the attack causes the chat frontend to crash with the error "Cannot read properties of undefined (reading 'skins')", checking application logs for this error during meetings can also indicate exploitation attempts. Specific commands depend on your monitoring tools, but for example, using network capture tools like tcpdump or Wireshark to filter GraphQL mutation requests, or searching server logs for the error message, can help detect the issue. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade BigBlueButton to version 3.0.13 or later, which contains the patch removing the vulnerable `reactionEmojiId` parameter and fixes the issue. There are no known workarounds available, so applying the update is necessary to prevent exploitation. [1, 2]