Unrestricted File Upload in bigbluebutton/bigbluebutton


Reported on

Nov 2nd 2022

BigBlueButton 2.5.6 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures.

  • PoC:

1- Submit the request to insertDocument, specifying the extension:


2- Below we see the log file & the file on the file system:




1- AV distribution

2- Utilizing the file with another vulnerability/issue

We are processing your report and will contact the bigbluebutton team within 24 hours. a year ago
We have contacted a member of the bigbluebutton team and are waiting to hear back a year ago
We have sent a follow up to the bigbluebutton team. We will try again in 7 days. a year ago
Fred Dixon
a year ago


Thanks for your submission -- reviewing this internally.

We have sent a second follow up to the bigbluebutton team. We will try again in 10 days. a year ago
a year ago



Hi Fred, kindly indicate if there is any update.

a year ago


Hi @annfalotaibi, we've a dev working on it now.

a year ago


@bigbluebutton/bigbluebutton Thank you for the confirmation, I'd appreciate it if you could mark the issue as valid, and look into the other issues especially the ones related to Greenlight as they are critical.

We have sent a third and final follow up to the bigbluebutton team. This report is now considered stale. a year ago
Tainan Felipe validated this vulnerability a year ago
Abdulmohsen Alotaibi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
8 months ago


@farhatahmad @tainan404 Hi team, I would truly appreciate it if you could mark this finding as fixed, and publish it as a CVE (this option appears to the maintainers after marking the issue as fixed).

3 months ago


@tainan404 Hi Tainan, I'd appreciate it if you could release a CVE on that from your end through Github.

Anton Georgiev
3 months ago


Hi @annfalotaibi,

I have requested a CVE as part of https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-w98f-6x8w-xhjc Typically it takes up to a day to get it, I'll keep you posted!

Anton Georgiev marked this as fixed in 2.6.0 with commit 520b31 a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Anton Georgiev published this vulnerability a month ago
to join this conversation