BigBlueButton DoS via Polling Choices before 3.0.13
CVE-2025-61601 Published on October 9, 2025
BigBlueButton vulnerable to DoS via PollSubmitVote GraphQL mutation
BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's `Choices` response type. By submitting a malicious payload with a massive array in the `answerIds` field, the attacker can cause the current meeting and potentially all meetings on the server to become unresponsive. Version 3.0.13 contains a patch. No known workarounds are available.
Vulnerability Analysis
CVE-2025-61601 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
Improper Check or Handling of Exceptional Conditions
The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.
Products Associated with CVE-2025-61601
Want to know whenever a new CVE is published for Bigbluebutton? stack.watch will email you.
Affected Versions
bigbluebutton Version < 3.0.13 is affected by CVE-2025-61601Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.