CompressionAttack: Exploiting Prompt Compression as a New Attack Surface in LLM-Powered Agents

TL;DR

This paper introduces CompressionAttack, a novel security threat exploiting prompt compression in LLM-powered agents, demonstrating significant attack success rates and highlighting the need for improved defenses.

Contribution

It is the first to identify prompt compression as an attack surface and proposes two strategies, HardCom and SoftCom, to exploit this vulnerability in LLMs.

Findings

Achieved up to 83% and 87% attack success rates in experiments.

Demonstrated high stealthiness and transferability of attacks.

Current defenses are ineffective against CompressionAttack.

Abstract

LLM-powered agents often use prompt compression to reduce inference costs, but this introduces a new security risk. Compression modules, which are optimized for efficiency rather than safety, can be manipulated by adversarial inputs, causing semantic drift and altering LLM behavior. This work identifies prompt compression as a novel attack surface and presents CompressionAttack, the first framework to exploit it. CompressionAttack includes two strategies: HardCom, which uses discrete adversarial edits for hard compression, and SoftCom, which performs latent-space perturbations for soft compression. Experiments on multiple LLMs show up to an average ASR of 83% and 87% in two tasks, while remaining highly stealthy and transferable. Case studies in three practical scenarios confirm real-world impact, and current defenses prove ineffective, highlighting the need for stronger protections.