Image-based Prompt Injection: Hijacking Multimodal LLMs through Visually Embedded Adversarial Instructions

TL;DR

This paper introduces Image-based Prompt Injection (IPI), a black-box attack method that embeds adversarial instructions into images to manipulate multimodal large language models, revealing significant security vulnerabilities.

Contribution

It presents a novel end-to-end pipeline for stealthy prompt injection into images, demonstrating its effectiveness against state-of-the-art models and highlighting security risks.

Findings

IPI can achieve up to 64% attack success rate

The attack is effective under stealth constraints

Multiple embedding strategies were evaluated

Abstract

Multimodal Large Language Models (MLLMs) integrate vision and text to power applications, but this integration introduces new vulnerabilities. We study Image-based Prompt Injection (IPI), a black-box attack in which adversarial instructions are embedded into natural images to override model behavior. Our end-to-end IPI pipeline incorporates segmentation-based region selection, adaptive font scaling, and background-aware rendering to conceal prompts from human perception while preserving model interpretability. Using the COCO dataset and GPT-4-turbo, we evaluate 12 adversarial prompt strategies and multiple embedding configurations. The results show that IPI can reliably manipulate the output of the model, with the most effective configuration achieving up to 64\% attack success under stealth constraints. These findings highlight IPI as a practical threat in black-box settings and underscore the need for defenses against multimodal prompt injection.