June 30, 2026
Model Denial of Service: The Costly Loop Bug Quietly Draining LLM Budgets ๐ธ
Why a single unbounded loop in an LLM API can outcost a data breach โ and nobody notices until the invoice lands.
By @AnandPrajapati
2 min read
In November 2025, a production multi-agent pipeline got stuck in a loop โ agents endlessly re-checking each other's output.
Nobody caught it for 11 days.
The bill: $47,000.
No breach. No stolen data. No malware. Just a loop that was never told to stop, burning tokens every second nobody was watching.
This is Model Denial of Service โ and in the 2025 OWASP Top 10 for LLM Applications, it was renamed and widened from the old LLM04:2023 "Model Denial of Service" into LLM10:2025 "Unbounded Consumption" โ one risk category now covering outages, denial-of-wallet, and even model theft via excessive querying.
โก Why It's Not Like Normal DoS
Classic DoS floods a server until it falls over. Model DoS floods a billing meter until your company does.
LLMs are billed per token โ input, output, even internal "thinking" tokens. Nothing needs to break. The system just needs to keep generating. Across the industry right now, the conversation has shifted from writing good prompts to designing the loops that run them โ which quietly makes a bad loop a bigger risk than a bad prompt.
๐ Three Ways a Loop Gets Expensive
1. Tool-call loops ๐ ๏ธ Agent calls a tool โ gets an unclear or empty result โ retries โ repeats. One reported case had an agent call the same file-listing function 14,000 times in a single overnight run โ a classic symptom of a tool that never returns a clean "done" signal.
2. Reasoning loops ๐ง No tools involved at all โ the model just keeps "thinking." One documented case logged 847 reasoning steps at roughly $47/minute, without ever producing a final answer.
3. Context-accumulation loops ๐ Every step in an agent loop resends the entire conversation so far. By step 20, you're re-paying for the same 8,000+ tokens you already paid for at step 1. That's a core reason agents now burn roughly 50x more tokens than a single chat turn for equivalent work.
๐จ It's a Filed, Real Vulnerability โ Not Theory
CVE-2026โ55446: an unauthenticated DoS in Langflow, filed under CWE-400: Uncontrolled Resource Consumption. One request, oversized multipart form boundary, zero login required โ and the app became unusable for every user, indefinitely.
If you test LLM-backed apps for a living, this is one of the easiest categories to actually prove end-to-end โ no exploit chain needed, just patience and a timer.
Test it responsibly: stay inside scope, confirm the target's tolerance for repeated or heavy requests before you send them. The goal is proving the gap exists, not actually taking the service down.
๐ก๏ธ How to Actually Stop It
A billing alert is not a defense. By the time the email lands, the loop has already run for another twenty minutes.
โ Enforce limits outside the agent โ never just in its system prompt. A task-motivated agent will ignore "stop at $10" the moment stopping gets in the way of finishing. โ Hard iteration caps โ e.g. max 3โ5 tool calls per task, no exceptions. โ Circuit breakers on token velocity, not just request count. โ Repetition detection โ same tool, same arguments, three times in a row = kill the session. โ Context pruning + prompt caching, so step 20 isn't re-billing step 1. โ Tiered hard caps: soft alert โ forced downgrade to a cheaper model โ full stop requiring human approval.
A minimal version, in code:
if session.tokens_spent > budget_cap:
halt_agent()
if same_tool_call_repeated(times=3):
halt_agent()if session.tokens_spent > budget_cap:
halt_agent()
if same_tool_call_repeated(times=3):
halt_agent()Two lines. Most production agents still don't have them.
๐ TL;DR
Model DoS doesn't need an attacker. A confused agent and a missing stop condition are enough. The fix isn't "watch the bill" โ it's making the loop physically incapable of continuing past a hard limit.
I catalog real-world vulnerabilities like this โ across web, API, mobile, cloud, and AI/LLM security โ inside 150DaysWithAppSec: 300 vulnerabilities, one repo.
Anand Prajapati ๐ LinkedIn: linkedin.com/in/anand-prajapati-7a265a369 ๐ GitHub: github.com/anand87794