Описание
ChatterBot Vulnerable to Denial of Service via Database Connection Pool Exhaustion
Summary
ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover.
Details
ChatterBot relies on SQLAlchemy for database access and uses a connection pool with default limits. The get_response() method does not enforce concurrency limits, rate limiting, or explicit session lifecycle controls.
When multiple threads concurrently invoke get_response(), database connections are rapidly consumed and not released in a timely manner. This leads to exhaustion of the SQLAlchemy QueuePool, causing subsequent requests to block and eventually fail with a TimeoutError.
This issue can be triggered without authentication in deployments where ChatterBot is exposed as a chatbot service, making it exploitable by remote attackers to cause denial of service.
PoC Video: https://github.com/user-attachments/assets/4ee845c4-b847-4854-84ec-4b2fb2f7090f
PoC
- Install ChatterBot version 1.2.10.
- Use the default database configuration (SQLite / SQLAlchemy).
- Run the following Python script to invoke concurrent requests:
from chatterbot import ChatBot import threading
bot = ChatBot("dos-test")
def attack(): bot.get_response("hello")
threads = [] for _ in range(30): t = threading.Thread(target=attack) t.start() threads.append(t)
for t in threads: t.join()
- Observe that the application becomes unresponsive and raises SQLAlchemy TimeoutError exceptions indicating exhaustion of the connection pool.
Impact
This vulnerability allows an attacker to trigger a denial-of-service condition by exhausting the database connection pool. Once triggered, the chatbot becomes unresponsive to legitimate users and requires a manual restart to restore functionality.
All deployments of ChatterBot version 1.2.10 or earlier that allow concurrent access to the get_response() method are impacted.
Ссылки
- https://github.com/gunthercox/ChatterBot/security/advisories/GHSA-v4w8-49pv-mf72
- https://nvd.nist.gov/vuln/detail/CVE-2026-23842
- https://github.com/gunthercox/ChatterBot/pull/2432
- https://github.com/gunthercox/ChatterBot/commit/de89fe648139f8eeacc998ad4524fab291a378cf
- https://github.com/gunthercox/ChatterBot/releases/tag/1.2.11
- https://github.com/user-attachments/assets/4ee845c4-b847-4854-84ec-4b2fb2f7090f
Пакеты
chatterbot
<= 1.2.10
1.2.11
Связанные уязвимости
ChatterBot is a machine learning, conversational dialog engine for creating chat bots. ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover. Version 1.2.11 fixes the issue.