CVE-2026-23842
ChatterBot Vulnerable to Denial of Service via Database Connection Pool Exhaustion
描述
### Summary ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover. ### Details ChatterBot relies on SQLAlchemy for database access and uses a connection pool with default limits. The get_response() method does not enforce concurrency limits, rate limiting, or explicit session lifecycle controls. When multiple threads concurrently invoke get_response(), database connections are rapidly consumed and not released in a timely manner. This leads to exhaustion of the SQLAlchemy QueuePool, causing subsequent requests to block and eventually fail with a TimeoutError. This issue can be triggered without authentication in deployments where ChatterBot is exposed as a chatbot service, making it exploitable by remote attackers to cause denial of service. PoC Video: https://github.com/user-attachments/assets/4ee845c4-b847-4854-84ec-4b2fb2f7090f ### PoC 1. Install ChatterBot version 1.2.10. 2. Use the default database configuration (SQLite / SQLAlchemy). 3. Run the following Python script to invoke concurrent requests: from chatterbot import ChatBot import threading bot = ChatBot("dos-test") def attack(): bot.get_response("hello") threads = [] for _ in range(30): t = threading.Thread(target=attack) t.start() threads.append(t) for t in threads: t.join() 4. Observe that the application becomes unresponsive and raises SQLAlchemy TimeoutError exceptions indicating exhaustion of the connection pool. ### Impact This vulnerability allows an attacker to trigger a denial-of-service condition by exhausting the database connection pool. Once triggered, the chatbot becomes unresponsive to legitimate users and requires a manual restart to restore functionality. All deployments of ChatterBot version 1.2.10 or earlier that allow concurrent access to the get_response() method are impacted.
如何修補 CVE-2026-23842
要修補 CVE-2026-23842,請將受影響套件升級到下列已修補版本。
- —升級至 1.2.11 或更新版本
CVE-2026-23842 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。