LLM05:2025Sources
← Back to lesson
Sources & Attribution
Everything in this lesson, sourced.
Every incident, CVE, and research paper mentioned in LLM05:2025 — Improper Output Handling — traced back to where it came from.
Framework License

This lesson is built on the OWASP Top 10 for Large Language Model Applications (2025), released under Creative Commons Attribution-ShareAlike 4.0. Definitions, vulnerability categories, mitigation structure, and attack scenarios are drawn directly from this framework. Real-world incidents and CVE details are independent factual reporting, cited individually below.

01
Primary Framework
The structure this entire lesson is built on
OWASP Top 10 for LLM Applications 2025 — LLM05: Improper Output Handling
OWASP Foundation · Released 2025 · CC BY-SA 4.0
Cited for: Core definition, 4 attack patterns, 4 official attack scenarios, 7 mitigation categories throughout all slides
genai.owasp.org →
02
CVEs — Official Records
Formally catalogued vulnerabilities referenced in this lesson
CVE-2023-29374 — LangChain LLMMathChain RCECVSS 9.8 Critical
LangChain · Affected versions <= 0.0.131 · Fixed in 0.0.141 · Disclosed January–March 2023
Cited for: Code injection / RCE attack pattern, exec() on LLM output, M1 and M4 mitigation slides — slides 11, 19, 22, 27
NVD record →
CVE-2024-5565 — Vanna.AI Prompt Injection to RCECVSS 9.2 Critical (v4.0)
Vanna.AI text-to-SQL library · JFrog Security Research · Disclosed June 2024
Cited for: SQL injection attack pattern, multi-layer exec() chain, M3 and M4 mitigation slides — slides 12, 21, 22, 27
NVD record →
03
Confirmed Incidents & Research Disclosures
Real-world events verified against primary or first-party sources
ChatGPT Plugin XSS — Imperva Threat Research, 2023Security Research
Imperva Threat Research · Researcher disclosure · LLM output rendered without sanitization in ChatGPT plugin interface
Cited for: XSS via LLM output attack pattern, M2 output encoding mitigation — slides 10, 20, 27
Imperva blog →
Vanna.AI CVE-2024-5565 — JFrog Deep DiveSecurity Research
JFrog Security Research · June 2024 · Full attack chain analysis: prompt injection → SQL → Plotly Python → exec() → RCE
Cited for: Detailed attack chain mechanics for CVE-2024-5565, slides 12, 21
JFrog analysis →
04
Supporting References
OWASP standards and security guidance cited for mitigation recommendations
OWASP Application Security Verification Standard (ASVS)Security Standard
OWASP Foundation · Comprehensive application security requirements including output encoding, injection prevention, and secure coding
Cited for: M1 zero-trust output, M2 encoding requirements — slide 19
OWASP ASVS →
OWASP XSS Prevention Cheat SheetSecurity Reference
OWASP Foundation · Context-aware output encoding rules for HTML, JavaScript, URL, and CSS contexts
Cited for: M2 context-aware encoding guidance — slide 20
OWASP XSS Cheat Sheet →
OWASP SQL Injection Prevention Cheat SheetSecurity Reference
OWASP Foundation · Parameterized queries, prepared statements, and ORM-level protections
Cited for: M3 parameterized query guidance — slide 21
OWASP SQL Injection Cheat Sheet →
Built on the OWASP LLM Top 10:2025 framework under CC BY-SA 4.0.
Found an error or outdated link? Let us know.