Denial of Service Vulnerability in BigBlueButton by Blindside Networks
CVE-2025-61601

7.5HIGH

Key Information:

Vendor

Bigbluebutton

Status
Bigbluebutton
Vendor
CVE Published:
9 October 2025

What is CVE-2025-61601?

A Denial of Service vulnerability exists in BigBlueButton, the open-source virtual classroom software, that allows authenticated users to freeze or crash the server. This is achieved by exploiting the polling feature's Choices response type through malicious payloads loaded with large arrays in the answerIds field. As a result, the affected meeting and all concurrent meetings may become unresponsive. Users are advised to upgrade to version 3.0.13 or later, as earlier versions are susceptible to this attack. No known workarounds exist to mitigate this vulnerability.

Affected Version(s)

bigbluebutton < 3.0.13

References

https://github.com/bigbluebutton/bigbluebutton/security/a...
x_refsource_CONFIRM
https://github.com/bigbluebutton/bigbluebutton/pull/23662
x_refsource_MISC
https://www.youtube.com/watch?v=BwROSVIYjOY
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-61601 : Denial of Service Vulnerability in BigBlueButton by Blindside Networks