Path Traversal – Reading Certain File Extensions in bigbluebutton/bigbluebutton


Reported on

Oct 26th 2022

BigBlueButton 2.5.6 is vulnerable to a path traversal vulnerability, that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png).

  • PoC:

1- Submit a request to /bigbluebutton/presentation/<conference>/<room>/<presentation name>/textfiles/<id>

2- A valid path needs to be present on the server to traverse from.

3- utilize a double encoded forward slash "/" to traverse (%252f)

Check the below screenshot for more details.

  • Fix: Do input validation on the parameters being passed and strip dangerous characters.


Reading files with certain extensions that the client has no access to by default.

We are processing your report and will contact the bigbluebutton team within 24 hours. a year ago
We have contacted a member of the bigbluebutton team and are waiting to hear back a year ago
a year ago


Thanks for this submission. We're working on adding more validation.

We have sent a follow up to the bigbluebutton team. We will try again in 7 days. a year ago
We have sent a second follow up to the bigbluebutton team. We will try again in 10 days. a year ago
bigbluebutton/bigbluebutton maintainer modified the Severity from Low (3.7) to Low (3.1) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
bigbluebutton/bigbluebutton maintainer validated this vulnerability a year ago

Hey! Thanks for your report, we've assigned a developer to fix it.

Abdulmohsen Alotaibi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
3 months ago


@bigbluebutton Hi team, I'd appreciate it if you could release a CVE on that from your end through Github.

Anton Georgiev
3 months ago


Hi @anndalotaibi,

I have requested a CVE from GitHub via

It typically takes up to a day. I will keep you posted.

Anton Georgiev marked this as fixed in 2.6.0 with commit 6922bb a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Anton Georgiev published this vulnerability a month ago
to join this conversation