LLM05:2025 — Improper Output Handling

Slide 5 · Not Prompt Injection

LLM05 is often confused with LLM01. They’re not the same.

Both matter. But the failure point is different.

LLM01 — Prompt Injection

Where: The input to the model

What: Attacker hijacks the model’s behavior

Goal: Get the model to do something it shouldn’t

Fix: Input validation, system-prompt hardening

LLM05 — Improper Output Handling

Where: The output from the model, flowing downstream

What: App uses LLM output without sanitizing it

Goal: Payload executes in browser, DB, or shell

Fix: Output encoding, parameterized queries, sandboxes

How They Connect

LLM01 often enables LLM05. An attacker uses prompt injection to produce a malicious output — then LLM05 is what lets that output execute. But LLM05 can happen with no injection at all: a model might spontaneously produce HTML or code that’s dangerous when rendered, or an attacker might manipulate data the model reads (indirect injection) without ever touching the prompt directly.

Quick Test

Prompt Injection (LLM01): "Is the model doing what we intended?"
Improper Output Handling (LLM05): "Is the app handling the model’s response safely?"

← Back Next → What systems are at risk