GHSA-v4w8-49pv-mf72

Source

https://github.com/advisories/GHSA-v4w8-49pv-mf72

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-v4w8-49pv-mf72/GHSA-v4w8-49pv-mf72.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v4w8-49pv-mf72

Aliases

CVE-2026-23842

Published

2026-01-20T18:36:17Z

Modified

2026-02-03T02:57:43.928477Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

ChatterBot Vulnerable to Denial of Service via Database Connection Pool Exhaustion

Details

Summary

ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover.

Details

ChatterBot relies on SQLAlchemy for database access and uses a connection pool with default limits. The get_response() method does not enforce concurrency limits, rate limiting, or explicit session lifecycle controls.

When multiple threads concurrently invoke get_response(), database connections are rapidly consumed and not released in a timely manner. This leads to exhaustion of the SQLAlchemy QueuePool, causing subsequent requests to block and eventually fail with a TimeoutError.

This issue can be triggered without authentication in deployments where ChatterBot is exposed as a chatbot service, making it exploitable by remote attackers to cause denial of service.

PoC Video: https://github.com/user-attachments/assets/4ee845c4-b847-4854-84ec-4b2fb2f7090f

PoC

Install ChatterBot version 1.2.10.
Use the default database configuration (SQLite / SQLAlchemy).
Run the following Python script to invoke concurrent requests:

from chatterbot import ChatBot import threading

bot = ChatBot("dos-test")

def attack(): bot.get_response("hello")

threads = [] for _ in range(30): t = threading.Thread(target=attack) t.start() threads.append(t)

for t in threads: t.join()

Observe that the application becomes unresponsive and raises SQLAlchemy TimeoutError exceptions indicating exhaustion of the connection pool.

Impact

This vulnerability allows an attacker to trigger a denial-of-service condition by exhausting the database connection pool. Once triggered, the chatbot becomes unresponsive to legitimate users and requires a manual restart to restore functionality.

All deployments of ChatterBot version 1.2.10 or earlier that allow concurrent access to the get_response() method are impacted.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-400"
    ],
    "github_reviewed_at": "2026-01-20T18:36:17Z",
    "nvd_published_at": "2026-01-19T19:16:04Z",
    "severity": "HIGH"
}

References

Affected packages

PyPI / chatterbot

Package

Name: chatterbot; View open source insights on deps.dev
Purl: pkg:pypi/chatterbot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.11

Affected versions

0.*

0.0.0

0.0.1

0.0.2

0.0.3

0.0.4

0.0.5

0.1.0

0.1.1

0.1.2

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6

0.4.7

0.4.8

0.4.9

0.4.10

0.4.11

0.4.12

0.4.13

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.6.0

0.6.1

0.6.2

0.6.3

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.7.5

0.7.6

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

1.*

1.0.0a1

1.0.0a2

1.0.0a3

1.0.0a4

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.7

1.0.8

1.1.0a7

1.1.0

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-v4w8-49pv-mf72/GHSA-v4w8-49pv-mf72.json"

last_known_affected_version_range

"<= 1.2.10"