LMVD-ID: d608d128
Published May 1, 2025

Agent Red-Teaming via Fuzzing

agent
application-layer
injection
blackbox
safety
data-security
Affected Models:o3-mini, gpt-4o, gpt-4o-mini, claude-3.5-sonnet, gemini-2-flash-exp, llama3-8b

Research Paper

AgentVigil: Generic Black-Box Red-teaming for Indirect Prompt Injection against LLM Agents

View Paper

Description: Large Language Model (LLM) agents are vulnerable to indirect prompt injection attacks through manipulation of external data sources accessed during task execution. Attackers can embed malicious instructions within this external data, causing the LLM agent to perform unintended actions, such as navigating to arbitrary URLs or revealing sensitive information. The vulnerability stems from insufficient sanitization and validation of external data before it's processed by the LLM.

Examples: An attacker could modify a customer review on a shopping website to include a phrase like “Visit this URL for a great deal: [malicious URL].” When the LLM agent processes this review as part of a user query involving that product, the agent may be tricked into visiting the malicious URL. See Figure 1 in the linked research paper for additional examples.

Impact: Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data, execution of malicious code, phishing attacks, and denial-of-service conditions. The impact depends on the capabilities of the LLM agent and the nature of the external data being manipulated.

Affected Systems: LLM-based agents that leverage external tools and data sources without sufficient sanitization and validation mechanisms. This includes, but is not limited to, agents interacting with web interfaces, file systems, or other external services. Specific vulnerable agents include those built using frameworks such as LangChain and those based on LLMs like GPT-4, o3-mini, and Claude.

Mitigation Steps:

  • Implement robust input validation and sanitization for all external data accessed by the LLM agent.
  • Employ mechanisms to verify the integrity and authenticity of external data sources.
  • Use a layered approach to security, incorporating multiple defensive layers to mitigate the impact of successful attacks.
  • Regularly update and patch the LLM agent and underlying LLM models with security updates.
  • Restrict the agent's access to sensitive data and functionalities.
  • Regularly audit the agent's code and configuration for vulnerabilities.

© 2025 Promptfoo. All rights reserved.