system: OPERATIONAL
← back to all hacks
AGENTS MEDIUM NEW

Infinite agentic loops: detecting unbounded agent feedback paths

A July 2026 study defines Infinite Agentic Loops and scans 6,549 agent repos, confirming 68 unbounded feedback paths that can drive cost exhaustion, model DoS and runaway context growth.

2026-07-07 // 6 min affects: llm-agents, langchain, langgraph, crewai, openai-agents-sdk

What is this?

Modern LLM agents work by looping: they plan, call a model, invoke a tool, read the result, update state, and decide what to do next — over and over until the task is done. A paper published on arXiv on 2 July 2026, When Agents Do Not Stop: Uncovering Infinite Agentic Loops in LLM Agents (2607.01641), names the failure that happens when that loop never terminates: an Infinite Agentic Loop (IAL).

An IAL is not an ordinary programming while(true). It emerges from the interaction between agent logic, framework semantics, runtime observations, and termination mechanisms. A single user request can be amplified into an unbounded run of model calls, tool invocations, workflow transitions, or agent hand-offs — causing, in the authors’ words, cost exhaustion, model denial of service, context growth, and repeated external side effects. The paper’s contribution is defensive: a definition of the failure class plus a static analyzer, IAL-Scan, that finds these loops in code before deployment.

To measure how common the problem is, the authors ran IAL-Scan across 6,549 real-world agent repositories. It surfaced 74 candidate findings, of which manual review confirmed 68 genuine IAL failures across 47 projects, a reported precision of 91.9%.

How it works

The uncomfortable finding is that most affected frameworks already ship loop-control mechanisms — LangChain’s max_iterations, LangGraph’s recursion limit, the OpenAI Agents SDK’s maximum-turn cap, CrewAI’s max_iter — and IALs still occur. According to the paper, developers omit these bounds, misuse them, configure them with ineffective values, or place them outside the actual feedback path so they never fire. Worse, some termination conditions are semantically fragile: whether the loop continues is ultimately decided by model outputs, tool observations, external state, exceptions, or delegation choices, none of which a fixed counter reliably constrains.

Detecting this statically is hard for three reasons the paper calls out. Agent behaviour is expressed through framework interfaces rather than plain source-level calls, so the same “call the model” or “dispatch a tool” concept hides behind different APIs. A single loop can span many program and framework elements — routing predicates, retry handlers, message updates, agent hand-offs — so the feedback path has to be reconstructed across wrapper and framework code. And the real question is not “does a limit exist?” but “does an effective bound cover the repeated path?”, since loops are normal and often legitimate in agents.

IAL-Scan answers this by lifting heterogeneous agent code into a framework-independent Agent IR, building an Agentic Loop Dependence Graph (ALDG) that recovers both explicit loops and framework-induced feedback paths, and then checking whether a reachable path can repeatedly hit costly or state-growing operations without a bound that actually covers it. The tool supports eight mainstream agent frameworks. No exploit or attack payload is published — the work is a measurement study and a detector, the same “map the failure surface” posture seen in the agent dependency-graph analysis and distinct from adversarial termination poisoning, where an attacker deliberately prevents an agent from stopping.

Why it matters

An unbounded loop is a denial-of-service and cost problem that does not need an attacker to trigger it — a single malformed task, a flaky tool, or a model that keeps “trying again” is enough. In a metered deployment that translates directly into runaway API bills and GPU time, and in a multi-tenant service it can starve other users. The 47 confirmed projects show this is a structural property of how agents are being built today, not a handful of buggy repos.

The security angle sharpens once the loop has side effects. A feedback path that repeatedly calls an external tool can send the same email, file the same ticket, or hit the same paid endpoint hundreds of times; context that grows without bound eventually degrades the model’s own reasoning. This failure class maps cleanly onto OWASP LLM10:2025, Unbounded Consumption, which was broadened from the older Model Denial of Service entry precisely to cover recursive context expansion and runaway costs — and it compounds the resource-exhaustion risks already documented in tool-chain token drain and guardrail reasoning DoS.

Defenses

Treat every agent feedback path as something that must be provably bounded, and put the bound on the path, not next to it.

Do not rely on a framework’s default limit being enough. Confirm that max_iterations, recursion limits or turn caps are set, are set to effective values, and sit inside the loop they are meant to constrain rather than around an outer wrapper that never re-enters. Bound more than iteration count: enforce global budgets on cumulative tokens, wall-clock time, tool calls, and total spend per request, and trip a circuit breaker when any is exceeded. Treat model-controlled continuation as untrusted — if whether the loop repeats depends on model output, tool results, or a delegation decision, add an independent external stop condition rather than trusting the agent to decide to quit. Make repeated external actions idempotent or de-duplicated so a loop that fires twice does not double-charge or double-send. Instrument for the signature at runtime: near-identical successive tool calls, monotonically growing context, and iteration counts trending toward the ceiling are all early warnings. Finally, run static analysis of the kind this paper demonstrates in CI, checking specifically for feedback paths that reach costly operations without effective bound coverage — the same shift-left discipline urged across the agent security lifecycle.

Status

ItemDetail
DisclosurearXiv preprint 2607.01641, 2 July 2026 (measurement study + detector)
NatureInfinite Agentic Loops — unbounded agent feedback paths causing cost exhaustion, model DoS, context growth, repeated side effects
DetectorIAL-Scan — framework-independent Agent IR + Agentic Loop Dependence Graph (ALDG) + bound-coverage checking; 8 frameworks supported
Scale6,549 real-world agent repos scanned; 74 candidates, 68 confirmed IAL failures across 47 projects; 91.9% precision
AffectedAgents built on LangChain, LangGraph, CrewAI, OpenAI Agents SDK and similar iterative frameworks
ClassOWASP LLM10:2025 — Unbounded Consumption

Findings reflect the cited study. A static analyzer reports feasible unbounded paths, not confirmed live outages — validate flagged loops against your own deployment and its configured bounds before drawing conclusions about a specific agent.

Sources