Skip to content

Critical DoS: blocking requests.post without timeout in async CYSTCoordinator #479

New issue
New issue
Open
Open
Critical DoS: blocking requests.post without timeout in async CYSTCoordinator#479
Milestone
Update CYST compatibility
@eldraco

Description

@eldraco
eldraco
opened on Mar 5, 2026

🐛 Bug Report

Past Issues Searched

  • I have searched open and closed issues to make sure that the bug has not yet been reported

Issue is a Bug Report

  • This is a bug report and not a feature request, nor asking for support

Describe the bug

AIDojoCoordinator/worlds/CYSTCoordinator.py has a critical event-loop blocking bug that enables service-wide denial of service.

_cyst_request() is declared async but performs synchronous blocking I/O via requests.post(...) with no timeout. Because it is called from agent action handlers on the asyncio loop, one slow/hung CYST HTTP call can block the entire loop, preventing all agents from being served.

Evidence (code)

  • AIDojoCoordinator/worlds/CYSTCoordinator.py:93: async def _cyst_request(...)
  • AIDojoCoordinator/worlds/CYSTCoordinator.py:99: response = requests.post(url, json=data) (blocking call)
  • AIDojoCoordinator/worlds/CYSTCoordinator.py:99: no timeout= provided
  • AIDojoCoordinator/worlds/CYSTCoordinator.py:118 and :144: called during action processing path

Reproduction

  1. Start coordinator with CYST endpoint unreachable/slow, or force CYST endpoint to delay indefinitely.
  2. Connect as agent and send action requiring CYST call (e.g., ScanNetwork / FindServices).
  3. Coordinator enters _cyst_request() and blocks in requests.post.
  4. Event loop stalls; other agents and tasks stop progressing.

Impact

  • Critical availability failure (global DoS).
  • Single request can freeze gameplay for all connected players.
  • Can be triggered remotely by an agent action path.

Expected behavior

Coordinator should never block the asyncio event loop on outbound HTTP calls. Slow/unreachable CYST should fail fast per-request and preserve service responsiveness for other agents.

Screenshots

Not applicable.

Environment

  • OS: macOS/Linux
  • Browser: N/A (TCP service)
  • Browser Version: N/A

Suggested fix

  • Replace requests with async client (aiohttp or httpx.AsyncClient) in _cyst_request().
  • Enforce strict request timeouts and exception handling.
  • Optionally isolate CYST calls in worker threads/executor if sync library must be used.
  • Return explicit error responses to agents when CYST backend is unavailable.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions