A fintech company ships an AI-powered customer-support chatbot. Agents use it daily — a user submits a question, the LLM writes the response, and it appears in the agent’s dashboard. Fast, helpful, saves hours.
An attacker submits a support request. Buried in the ticket text is a fragment of JavaScript. The LLM processes the ticket and echoes the fragment back inside its reply. The dashboard renders the response as HTML. The script runs in the agent’s browser. The agent’s session token is silently sent to the attacker’s server.
Nobody injected a database. Nobody stole a password. The LLM’s own output was the weapon.
The application passed the LLM’s text directly to a browser without checking whether it contained executable code. The browser did exactly what browsers do — it ran the code. This is Improper Output Handling: failing to validate, sanitize, or encode what an LLM produces before it reaches a downstream system.
Improper Output Handling is what happens when you trust the LLM’s text and pass it downstream — into a browser, a database, a shell — without making it safe for that context.