Abstract
We increase overhead for applications that rely on reasoning LLMs-we forcemodels to spend an amplified number of reasoning tokens, i.e., "overthink", torespond to the user query while providing contextually correct answers. Theadversary performs an OVERTHINK attack by injecting decoy reasoning problemsinto the public content that is used by the reasoning LLM (e.g., for RAGapplications) during inference time. Due to the nature of our decoy problems(e.g., a Markov Decision Process), modified texts do not violate safetyguardrails. We evaluated our attack across closed-(OpenAI o1, o1-mini, o3-mini)and open-(DeepSeek R1) weights reasoning models on the FreshQA and SQuADdatasets. Our results show up to 18x slowdown on FreshQA dataset and 46xslowdown on SQuAD dataset. The attack also shows high transferability acrossmodels. To protect applications, we discuss and implement defenses leveragingLLM-based and system design approaches. Finally, we discuss societal,financial, and energy impacts of OVERTHINK attack which could amplify the costsfor third-party applications operating reasoning models.