CVE-2026-23842
📋 TL;DR
ChatterBot versions up to 1.2.10 are vulnerable to denial-of-service due to improper database connection pool management. Concurrent calls to the get_response() method can exhaust SQLAlchemy connections, causing persistent service unavailability requiring manual restart. This affects all users running vulnerable ChatterBot instances.
💻 Affected Systems
- ChatterBot
📦 What is this software?
Chatterbot by Chatterbot
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage requiring manual restart, potentially disrupting chatbot-dependent business operations for extended periods.
Likely Case
Service degradation or temporary unavailability during high concurrent usage, requiring intervention to restore functionality.
If Mitigated
Minimal impact with proper connection limits and monitoring, though risk remains without patching.
🎯 Exploit Status
Exploitation requires only the ability to send concurrent requests to the get_response() endpoint, making it simple to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.11
Vendor Advisory: https://github.com/gunthercox/ChatterBot/security/advisories/GHSA-v4w8-49pv-mf72
Restart Required: Yes
Instructions:
1. Update ChatterBot: pip install --upgrade chatterbot==1.2.11
2. Restart your chatbot application
3. Verify the update with: pip show chatterbot
🔧 Temporary Workarounds
Rate Limiting
allImplement request rate limiting to prevent concurrent exhaustion of connection pool
# Example using Flask-Limiter
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address
limiter = Limiter(get_remote_address)
@limiter.limit("10 per minute")
def get_response_endpoint():
# Your chatbot logic
Connection Pool Configuration
allIncrease SQLAlchemy connection pool size and implement timeouts
# In your SQLAlchemy configuration
engine = create_engine('sqlite:///chatbot.db', pool_size=20, max_overflow=30, pool_timeout=30)
🧯 If You Can't Patch
- Implement strict rate limiting and monitoring for concurrent requests to get_response() endpoints
- Deploy behind a WAF with DoS protection and implement circuit breaker patterns in application code
🔍 How to Verify
Check if Vulnerable:
Check installed ChatterBot version: pip show chatterbot | grep VersionCheck Version:
pip show chatterbot | grep VersionVerify Fix Applied:
Confirm version is 1.2.11 or higher and test with concurrent requests to ensure service remains available📡 Detection & Monitoring
Log Indicators:
- SQLAlchemy connection pool exhaustion errors
- Database connection timeout messages
- Increased error rates from get_response() calls
Network Indicators:
- Spike in concurrent requests to chatbot endpoints
- Increased response times followed by service unavailability
SIEM Query:
source="chatbot.logs" AND ("pool exhausted" OR "TimeoutError" OR "OperationalError")🔗 References
- https://github.com/gunthercox/ChatterBot/commit/de89fe648139f8eeacc998ad4524fab291a378cf
- https://github.com/gunthercox/ChatterBot/pull/2432
- https://github.com/gunthercox/ChatterBot/releases/tag/1.2.11
- https://github.com/gunthercox/ChatterBot/security/advisories/GHSA-v4w8-49pv-mf72
- https://github.com/user-attachments/assets/4ee845c4-b847-4854-84ec-4b2fb2f7090f
