They added that “a single poisoned document can saturate shared guardrail infrastructures, effectively starving co-located agents and paralyzing the entire system,” describing a reasoning-extension denial-of-service (DoS) attack that targets the security layer rather than the underlying AI model.
The researchers tested the technique against four AI agent frameworks — LangGraph, BrowserGym, OpenHands, and OSWorld — and found processing times increased across deployments.
LangGraph recorded the biggest slowdown at 148x, followed by BrowserGym at 131x, OpenHands at 36.3x, and OSWorld at 18x, according to the paper.
Attack exploits reasoning rather than bypassing security
Unlike prompt injection and jailbreak attacks that seek to manipulate model outputs or circumvent safety controls, the new technique targets the reasoning process used by AI agent guardrails, the researchers wrote in the paper.
