CVE-2025-61601

Опубликовано: 09 окт. 2025

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's Choices response type. By submitting a malicious payload with a massive array in the answerIds field, the attacker can cause the current meeting — and potentially all meetings on the server — to become unresponsive. Version 3.0.13 contains a patch. No known workarounds are available.

Ссылки

https://github.com/bigbluebutton/bigbluebutton/pull/23662
Issue Tracking
Patch
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-73j3-v3fq-fqx5
Exploit
Vendor Advisory
https://www.youtube.com/watch?v=BwROSVIYjOY
Exploit
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-73j3-v3fq-fqx5
Exploit
Vendor Advisory
https://www.youtube.com/watch?v=BwROSVIYjOY
Exploit

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*

Версия до 3.0.13 (исключая)

EPSS

Процентиль: 22%

0.00071

Низкий

7.5 High

CVSS3

Дефекты

CWE-703