LLM01:2025Sources
← Back to lesson
Sources & Attribution
Everything in this lesson, sourced.
Every CVE, incident, statistic, and tool mentioned in LLM01:2025 — Prompt Injection — traced back to where it came from.
Framework License

This lesson is built on the OWASP Top 10 for Large Language Model Applications (2025), released under Creative Commons Attribution-ShareAlike 4.0. Definitions, attack scenario categories, and mitigation structure are drawn directly from this framework. Real-world incidents, CVE details, and tool descriptions are independent factual reporting, cited individually below.

01
Primary Framework
The structure this entire lesson is built on
OWASP Top 10 for LLM Applications 2025 — LLM01: Prompt Injection
OWASP Foundation · Released 2025 · CC BY-SA 4.0
Cited for: Core definition, direct/indirect injection types, 9 attack scenarios, 7 mitigations
owasp.org →
02
CVEs — Official Records
Formally catalogued vulnerabilities referenced in this lesson
CVE-2025-32711 — "EchoLeak"CVSS 9.3
Microsoft 365 Copilot · Zero-click indirect prompt injection
Cited for: Indirect injection example, slides 13, 21, 24, 26
NVD record →
CVE-2025-53773 — GitHub Copilot RCECVSS 7.8
GitHub Copilot / Visual Studio Code · Invisible Unicode injection → RCE
Cited for: Multimodal injection, least privilege, human approval, slides 16, 22, 23, 26
NVD record →
CVE-2024-5184 — LLM Email Assistant
Production LLM-powered email assistant · Code injection
Cited for: Code injection scenario, slide 15
NVD record →
03
Original Disclosures & Research
The researchers and reporters who found and documented these incidents
Aim Security — EchoLeak DiscoveryResearch
Discovered and disclosed CVE-2025-32711, June 2025
Cited for: EchoLeak attack chain mechanics, slide 13
Aim Labs writeup (now Cato AI Labs) →
Persistent Security — CVE-2025-53773 DiscoveryResearch
Reported to Microsoft June 29, 2025 · Patched August 2025
Cited for: GitHub Copilot RCE mechanics, slide 16
Persistent Security writeup →
Johann Rehberger (embracethered.com) — SpAIwareResearch
Disclosed at BSides Vancouver Island, September 2024
Cited for: Persistent injection via ChatGPT memory, slide 12, 25
embracethered.com →
Simon Willison — Freysa AI Heist ReportingResearch
November 2024 · First public technical breakdown
Cited for: Freysa $47,000 heist mechanics, slides 5, 6, 10, 11
simonwillison.net →
The Block — "Human player outwits Freysa AI agent"Reporting
November 29, 2024
Cited for: Freysa heist financial details and outcome
theblock.co →
Obsidian Security — Enterprise RAG Attack AnalysisResearch
January 2025 enterprise RAG poisoning demonstration
Cited for: RAG poisoning incident, slides 8, 14, 26
obsidiansecurity.com →
04
Tools Referenced
Real prompt injection defense tools named in the mitigation section
Lakera GuardCommercial
Lakera · Real-time injection detection API
Cited for: Input/output filtering mitigation, slide 21
Lakera Guard docs →
LLM GuardOpen Source
Protect AI · Apache 2.0
Cited for: Input/output filtering mitigation, slide 21
github.com →
NeMo GuardrailsOpen Source
NVIDIA · Apache 2.0
Cited for: Input/output filtering mitigation, slide 21
github.com →
Azure AI Prompt ShieldsManaged Service
Microsoft · Azure AI Content Safety
Cited for: Input/output filtering mitigation, slide 21
learn.microsoft.com →
Meta Prompt GuardOpen Source
Meta · 86M parameter classifier
Cited for: Input/output filtering mitigation, slide 21
huggingface.co →
Built on the OWASP LLM Top 10:2025 framework under CC BY-SA 4.0.
Found an error or outdated link? Let us know.