Slide 15 · Scenarios 4–6
RAG poisoning, catalogued CVE, payload splitting.
How injection scales into complex systems — all with real-world grounding.
📄 OWASP LLM Top 10:2025 · LLM01 Example Attack Scenarios
SCENARIO #4 · Intentional Model Influence via RAG
Poisoned document in knowledge base — misleading outputs
An attacker modifies a document in a repository used by a RAG application. When a user's query returns the modified content, the malicious instructions alter the LLM's output. Confirmed January 2025: researchers demonstrated this against a major enterprise RAG system. Injected document caused the AI to leak proprietary data to external endpoints, modify its own system prompts to disable safety filters, and execute API calls with elevated privileges.
Type: Indirect. Key insight: The attacker never touched the AI — they touched the data the AI reads. RAG expanded the attack surface. It didn't shrink it.
SCENARIO #5 · Code Injection — Catalogued CVE
LLM-powered email assistant — CVE-2024-5184
An attacker exploits CVE-2024-5184 in an LLM-powered email assistant to inject malicious prompts, gaining access to sensitive information and manipulating email content. This is a formally catalogued CVE in production software — prompt injection assigned the same standing as SQL injection or XSS in the NVD.
Type: Direct. Key insight: Prompt injection now has CVE assignments. Organizations must treat it with the same rigor as traditional vulnerabilities in their patch and vulnerability management programs.
SCENARIO #6 · Payload Splitting
Resume with split malicious prompts — manipulated hiring evaluation
An attacker uploads a resume with malicious prompts split across multiple sections. When an LLM evaluates the candidate, the combined prompts manipulate the model's response — producing a positive recommendation regardless of the resume's actual content.
Type: Indirect. Key insight: No single piece looks harmful. Combined, they form a complete attack. Input filters that evaluate each section independently miss the combined effect — context-aware semantic filtering is required.