ChatterBot Silence: Killing AI with Database Exhaustion
Jan 20, 2026·5 min read·1 visit
Executive Summary (TL;DR)
ChatterBot versions <= 1.2.10 fail to release database connections after processing requests. An attacker can trigger a denial of service (DoS) simply by sending concurrent requests, causing the SQL connection pool to fill up and blocking all subsequent traffic until the service is manually restarted.
ChatterBot, a popular Python library for conversational AI, suffers from a critical resource mismanagement flaw in its SQL storage adapter. By failing to close database sessions and properly scope threads, the application leaks connections until the database pool is exhausted, resulting in a persistent Denial of Service.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
ChatterBot GuntherCox | <= 1.2.10 | 1.2.11 |
| Attribute | Detail |
|---|---|
| CWE | CWE-400 (Uncontrolled Resource Consumption) |
| CVSS v3.1 | 7.5 (High) |
| Attack Vector | Network (Remote) |
| Attack Complexity | Low |
| Privileges Required | None |
| Impact | Denial of Service (Persistent) |
| Fixed Version | 1.2.11 |
MITRE ATT&CK Mapping
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.