CVE-2025-61602 in BigBlueButton
Summary
by MITRE • 10/10/2025
BigBlueButton is an open-source virtual classroom. A denial-of-service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to crash the chat functionality for all participants in a meeting by sending a malformed `reactionEmojiId` in the GraphQL mutation `chatSendMessageReaction`. Version 3.0.13 contains a patch. No known workarounds are available.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/10/2025
The vulnerability CVE-2025-61602 affects BigBlueButton version 3.0.13 and earlier, representing a critical denial-of-service flaw that undermines the platform's chat functionality. This issue stems from inadequate input validation within the GraphQL mutation endpoint responsible for handling chat message reactions. The vulnerability specifically targets the `chatSendMessageReaction` mutation where the `reactionEmojiId` parameter is processed without proper sanitization or validation, creating a pathway for authenticated users to deliberately disrupt service for all meeting participants.
The technical flaw manifests when an authenticated user crafts a malformed `reactionEmojiId` value and submits it through the GraphQL interface. This malformed input bypasses normal validation mechanisms and causes the backend processing to fail catastrophically, resulting in the complete breakdown of chat functionality within the affected meeting. The vulnerability operates at the application layer and leverages the platform's GraphQL API endpoint, making it particularly dangerous as it requires minimal privileges to exploit. The flaw aligns with CWE-20, which describes improper input validation, and demonstrates how seemingly benign user interactions can be weaponized to cause service disruption.
From an operational perspective, this vulnerability presents significant risks to virtual classroom environments where real-time communication is essential. The denial-of-service impact affects all participants in a meeting simultaneously, potentially disrupting educational activities, training sessions, or collaborative work. The authenticated nature of the exploit means that malicious actors within the organization or those who have gained legitimate credentials can cause widespread disruption without requiring external access. This vulnerability particularly impacts the availability aspect of the CIA triad, as it directly compromises the system's ability to provide services to authorized users.
Security practitioners should immediately upgrade to BigBlueButton version 3.0.13 or later to remediate this vulnerability, as no effective workarounds are available. The patch implemented in version 3.0.13 addresses the input validation gap by properly sanitizing the `reactionEmojiId` parameter before processing. Organizations should also implement monitoring for unusual GraphQL mutation patterns and consider rate limiting for chat-related operations to minimize potential impact. This vulnerability demonstrates the importance of validating all user inputs in API endpoints and aligns with ATT&CK technique T1499.004 for network denial of service, as it specifically targets service availability through application-layer manipulation. The incident underscores the necessity of comprehensive input validation and the potential for authenticated users to cause significant disruption when proper security controls are absent.