Unrated severityNVD Advisory· Published Oct 9, 2025· Updated Oct 15, 2025
BigBlueButton vulnerable to DoS via PollSubmitVote GraphQL mutation
CVE-2025-61601
Description
BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's Choices response type. By submitting a malicious payload with a massive array in the answerIds field, the attacker can cause the current meeting — and potentially all meetings on the server — to become unresponsive. Version 3.0.13 contains a patch. No known workarounds are available.
Affected products
1- Range: < 3.0.13
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/bigbluebutton/bigbluebutton/pull/23662mitrex_refsource_MISC
- github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-73j3-v3fq-fqx5mitrex_refsource_CONFIRM
- www.youtube.com/watchmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.