Denial-of-Service Vulnerability in BigBlueButton Open-Source Virtual Classroom
CVE-2025-61602

7.5HIGH

Key Information:

Vendor: Bigbluebutton
Status: Bigbluebutton
Vendor: CVE Published:; 9 October 2025

🔔 Create Bigbluebutton Vulnerability Alert

What is CVE-2025-61602?

BigBlueButton, an open-source virtual classroom solution, has a flaw that allows authenticated users to disrupt chat functionality for all meeting participants. By sending a specially crafted reactionEmojiId through the GraphQL mutation chatSendMessageReaction, users can crash the chat feature. Affected versions are prior to 3.0.13, which includes a patch to resolve this issue. No alternative measures are known to mitigate this vulnerability.

Affected Version(s)

bigbluebutton < 3.0.13

References

https://github.com/bigbluebutton/bigbluebutton/security/a...

x_refsource_CONFIRM

https://github.com/bigbluebutton/bigbluebutton/pull/23651

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 9, 2025
Vulnerability Reserved
Sep 26, 2025

JSON