LLM08:2025Vector & Embedding Weaknesses
Slide 10 of 27
Part 2 · TypesSlide 10
Slide 10 · Retrieval Poisoning — Real Example
PoisonedRAG — USENIX Security 2025.
Research Demonstration · USENIX Security 2025 · Penn State & Illinois Institute of Technology
PoisonedRAG: Knowledge Corruption Attacks to Retrieval-Augmented Generation
No CVE · Peer-reviewed research · Published USENIX Security 2025

The setup: Researchers at Penn State and IIT asked: how many malicious documents do you need to inject into a large knowledge base to control what an LLM says about a specific topic?

The answer: five. By injecting 5 adversarially crafted texts into a knowledge base of millions of documents, PoisonedRAG achieved a 90% attack success rate — the LLM returned the attacker’s chosen answer to the attacker’s chosen question.

The mechanism: Each poisoned document satisfies two optimization conditions: its embedding must score higher cosine similarity to the target query than legitimate documents, and its text must steer the LLM toward the desired answer once retrieved. Both conditions are solvable as adversarial optimization problems in black-box and white-box settings.

Defenses tested: Several existing defenses were evaluated. None fully stopped the attack.

Why it matters for LLM08: 5 documents in a million-document knowledge base. Retrieval poisoning is not a theoretical risk — it has been formally demonstrated at production scale, with documented 90% effectiveness.
← BackNext → Embedding Inversion
📄 View sources for this lesson