Abstract
We increase overhead for applications that rely on reasoning LLMs-we forcemodels to spend an amplified number of reasoning tokens, i.e., "overthink", torespond to the user query while providing contextually correct answers. Theadversary performs an OVERTHINK attack by injecting decoy reasoning problemsinto the public content that is used by the reasoning LLM (e.g., for RAGapplications) during inference time. Due to the nature of our decoy problems(e.g., a Markov Decision Process), modified texts do not violate safetyguardrails. We evaluated our attack across closed-(OpenAI o1, o1-mini, o3-mini)and open-(DeepSeek R1) weights reasoning models on the FreshQA and SQuADdatasets. Our results show up to 46x slowdown and high transferability of theattack across models. To protect applications, we discuss and implementdefenses leveraging LLM-based and system design approaches. Finally, we discusssocietal, financial, and energy impacts of OVERTHINK attack which could amplifythe costs for third party applications operating reasoning models.