This work identifies a novel security blind spot in large language model–based multi-agent systems (LLM-MASs) under alignment mechanisms. We propose Contagious Recursive Blocking Attack (CORBA), a lightweight prompt-injection attack paradigm characterized by both *contagiousness*—inter-agent cascading disruption—and *recursiveness*—self-amplifying resource exhaustion. CORBA is the first to formally model dual-characteristic blocking, overcoming the limitations of conventional single-hop alignment defenses. It is architecture-agnostic, compatible with mainstream frameworks (e.g., AutoGen, Camel) and diverse open- and closed-weight LLMs, and supports arbitrary network topologies. Empirical evaluation demonstrates that CORBA induces an average of 92.7% system-level functional failure across multiple configurations, while evading detection with a false-negative rate exceeding 89% (i.e., detection rate <11%). The implementation is publicly released.

Large Language Model-based Multi-Agent Systems (LLM-MASs) have demonstrated remarkable real-world capabilities, effectively collaborating to complete complex tasks. While these systems are designed with safety mechanisms, such as rejecting harmful instructions through alignment, their security remains largely unexplored. This gap leaves LLM-MASs vulnerable to targeted disruptions. In this paper, we introduce Contagious Recursive Blocking Attacks (Corba), a novel and simple yet highly effective attack that disrupts interactions between agents within an LLM-MAS. Corba leverages two key properties: its contagious nature allows it to propagate across arbitrary network topologies, while its recursive property enables sustained depletion of computational resources. Notably, these blocking attacks often involve seemingly benign instructions, making them particularly challenging to mitigate using conventional alignment methods. We evaluate Corba on two widely-used LLM-MASs, namely, AutoGen and Camel across various topologies and commercial models. Additionally, we conduct more extensive experiments in open-ended interactive LLM-MASs, demonstrating the effectiveness of Corba in complex topology structures and open-source models. Our code is available at: https://github.com/zhrli324/Corba.