Overcoming the Retrieval Barrier: Indirect Prompt Injection in the Wild for LLM Systems

TL;DR

This paper demonstrates that indirect prompt injection (IPI) attacks can reliably manipulate large language models by ensuring malicious content is retrieved, revealing a significant security vulnerability in LLM retrieval systems.

Contribution

It introduces a novel trigger-based attack method that guarantees retrieval of malicious content, and provides the first end-to-end IPI exploits under realistic conditions.

Findings

Near-100% retrieval success across multiple benchmarks and models

High attack success rate in real-world scenarios, e.g., over 80% in exfiltrating SSH keys

Existing defenses are ineffective against retrieval-based IPI attacks

Abstract

Large language models (LLMs) increasingly rely on retrieving information from external corpora. This creates a new attack surface: indirect prompt injection (IPI), where hidden instructions are planted in the corpora and hijack model behavior once retrieved. Previous studies have highlighted this risk but often avoid the hardest step: ensuring that malicious content is actually retrieved. In practice, unoptimized IPI is rarely retrieved under natural queries, which leaves its real-world impact unclear. We address this challenge by decomposing the malicious content into a trigger fragment that guarantees retrieval and an attack fragment that encodes arbitrary attack objectives. Based on this idea, we design an efficient and effective black-box attack algorithm that constructs a compact trigger fragment to guarantee retrieval for any attack fragment. Our attack requires only API access to embedding models, is cost-efficient (as little as $0.21 per target user query on OpenAI's embedding models), and achieves near-100% retrieval across 11 benchmarks and 8 embedding models (including both open-source models and proprietary services). Based on this attack, we present the first end-to-end IPI exploits under natural queries and realistic external corpora, spanning both RAG and agentic systems with diverse attack objectives. These results establish IPI as a practical and severe threat: when a user issued a natural query to summarize emails on frequently asked topics, a single poisoned email was sufficient to coerce GPT-4o into exfiltrating SSH keys with over 80% success in a multi-agent workflow. We further evaluate several defenses and find that they are insufficient to prevent the retrieval of malicious text, highlighting retrieval as a critical open vulnerability.