Prompt-in-Content Attacks: Exploiting Uploaded Inputs to Hijack LLM Behavior

TL;DR

This paper uncovers prompt-in-content injection attacks in LLMs, where hidden adversarial prompts embedded in user inputs can manipulate outputs, posing a new security threat in real-world applications.

Contribution

It introduces the concept of prompt-in-content attacks, demonstrating their feasibility, analyzing underlying causes, and proposing mitigation strategies.

Findings

Adversarial prompts can manipulate LLM outputs without detection.

Such attacks are feasible across popular LLM platforms.

Mitigation strategies can reduce vulnerability.

Abstract

Large Language Models (LLMs) are widely deployed in applications that accept user-submitted content, such as uploaded documents or pasted text, for tasks like summarization and question answering. In this paper, we identify a new class of attacks, prompt in content injection, where adversarial instructions are embedded in seemingly benign inputs. When processed by the LLM, these hidden prompts can manipulate outputs without user awareness or system compromise, leading to biased summaries, fabricated claims, or misleading suggestions. We demonstrate the feasibility of such attacks across popular platforms, analyze their root causes including prompt concatenation and insufficient input isolation, and discuss mitigation strategies. Our findings reveal a subtle yet practical threat in real-world LLM workflows.