ChatterBot Denial-of-Service Vulnerability via Database Connection Pool Exhaustion
Vulnerability
A denial-of-service vulnerability has been identified in ChatterBot versions through 1.2.10. This issue arises from improper management of database sessions and the connection pool, which can be exploited to exhaust the available database connections. The vulnerability is triggered by concurrent calls to the get_response() method, leading to a blockage of the application as it runs out of available database connections. This causes the service to become unresponsive, requiring a manual restart to restore functionality.
Impact
Exploitation of this vulnerability leads to a denial-of-service condition, causing the application to become unresponsive and unavailable to users. This requires a manual restart of the service to recover.
Reproduction
To reproduce this vulnerability, install ChatterBot version 1.2.10 and use the default database configuration with SQLite and SQLAlchemy. Then, run a Python script that creates multiple threads, each invoking the get_response() method concurrently. This will exhaust the SQLAlchemy connection pool, causing the application to become unresponsive and raise timeout errors indicating that the connection pool has been exhausted.
Remediation
Users can upgrade to ChatterBot version 1.2.11 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.