🐛 Bug Report
Past Issues Searched
Issue is a Bug Report
Describe the bug
AIDojoCoordinator/worlds/CYSTCoordinator.py contains a critical remote DoS flaw: blocking HTTP is used inside async action handling, with no timeout.
_cyst_request() is async, but it performs synchronous requests.post(...) and waits indefinitely if CYST is slow/unreachable. Because this runs on the coordinator's asyncio path, one attacker-triggered action can freeze the event loop and halt the whole game service.
In a high-end adversary model (state-sponsored disruption), this is an ideal single-request service kill switch: repeatedly trigger an action path that calls CYST while degrading/blackholing the backend, and all agents stop progressing.
Evidence (code)
AIDojoCoordinator/worlds/CYSTCoordinator.py:93 — async function _cyst_requestAIDojoCoordinator/worlds/CYSTCoordinator.py:99 — blocking requests.post(url, json=data)AIDojoCoordinator/worlds/CYSTCoordinator.py:99 — no timeout= argumentAIDojoCoordinator/worlds/CYSTCoordinator.py:118 and :144 — called directly from action execution path
Reproduction
- Run coordinator with CYST endpoint degraded, filtered, or blackholed.
- Connect as remote agent and submit
ScanNetwork or FindServices.
- Coordinator enters
_cyst_request() and blocks in requests.post.
- Event loop stalls; all sessions become unresponsive (global DoS).
Impact
- Critical availability loss across all players/sessions.
- Remote trigger through normal agent action flow.
- Reliable kill-switch for coordinated offensive operations.
Expected behavior
Coordinator should remain responsive under CYST slowness/failure:
- Non-blocking async HTTP client,
- strict per-request timeout,
- isolated failure for requesting agent only,
- graceful error response instead of global stall.
Screenshots
Not applicable.
Environment
- OS: Linux/macOS
- Browser: N/A (TCP + backend service)
- Browser Version: N/A
Suggested fix
- Replace
requests with aiohttp/httpx.AsyncClient.
- Enforce low connect/read timeouts and retries with circuit-breaker/backoff.
- Wrap backend calls with cancellation-safe exception handling.
- Optionally execute legacy sync calls in thread executor to avoid event-loop blocking.
🐛 Bug Report
Past Issues Searched
Issue is a Bug Report
Describe the bug
AIDojoCoordinator/worlds/CYSTCoordinator.pycontains a critical remote DoS flaw: blocking HTTP is used inside async action handling, with no timeout._cyst_request()isasync, but it performs synchronousrequests.post(...)and waits indefinitely if CYST is slow/unreachable. Because this runs on the coordinator's asyncio path, one attacker-triggered action can freeze the event loop and halt the whole game service.In a high-end adversary model (state-sponsored disruption), this is an ideal single-request service kill switch: repeatedly trigger an action path that calls CYST while degrading/blackholing the backend, and all agents stop progressing.
Evidence (code)
AIDojoCoordinator/worlds/CYSTCoordinator.py:93— async function_cyst_requestAIDojoCoordinator/worlds/CYSTCoordinator.py:99— blockingrequests.post(url, json=data)AIDojoCoordinator/worlds/CYSTCoordinator.py:99— notimeout=argumentAIDojoCoordinator/worlds/CYSTCoordinator.py:118and:144— called directly from action execution pathReproduction
ScanNetworkorFindServices._cyst_request()and blocks inrequests.post.Impact
Expected behavior
Coordinator should remain responsive under CYST slowness/failure:
Screenshots
Not applicable.
Environment
Suggested fix
requestswithaiohttp/httpx.AsyncClient.