LLM08:2025Sources
← Back to lesson
Sources & Attribution
Everything in this lesson, sourced.
Every incident, research paper, and reference mentioned in LLM08:2025 — Vector & Embedding Weaknesses — traced back to where it came from.
Framework License

This lesson is built on the OWASP Top 10 for Large Language Model Applications (2025), released under Creative Commons Attribution-ShareAlike 4.0. Definitions, vulnerability categories, mitigation structure, and attack scenarios are drawn directly from this framework. Real-world incidents and research are independent factual reporting, cited individually below.

01
Primary Framework
The structure this entire lesson is built on
OWASP Top 10 for LLM Applications 2025 — LLM08: Vector and Embedding Weaknesses
OWASP Foundation · Released 2025 · CC BY-SA 4.0
Cited for: Core definition, 5 vulnerability categories, 6 mitigation categories, 3 official attack scenarios — throughout lesson
genai.owasp.org →
02
Academic Research
Peer-reviewed papers and research demonstrations cited in this lesson
PoisonedRAG: Knowledge Corruption Attacks to Retrieval-Augmented Generation of Large Language ModelsResearch Paper
Zou et al. · Penn State University & Illinois Institute of Technology · USENIX Security 2025
Cited for: Retrieval poisoning attack type, 5-document / 90% success rate demonstration, slides 10, 21, 25
USENIX Security 2025 →
Vec2Text: Text Embeddings Reveal (Almost) As Much As TextResearch Paper
Morris et al. · Cornell University · arXiv:2310.06816 · 2023 (follow-on papers through 2025)
Cited for: Embedding inversion attack type, ~92% reconstruction accuracy for ada-002, slides 11, 22, 25
arXiv:2310.06816 →
Universal Zero-shot Embedding Inversion (ZSinvert)Research Paper
Follow-on research · arXiv:2504.00147 · 2025 · Zero-shot offline inversion without model queries
Cited for: 2025 escalation of embedding inversion — offline, query-free variants, slide 11
arXiv:2504.00147 →
ConfusedPilot: Confused Deputy Risks in RAG-based LLMsResearch Paper
UT Austin SPARK Lab & Symmetry Systems · arXiv:2408.04870 · Disclosed November 2024
Cited for: Enterprise AI poisoning scenario (Scenario 3), persistence after document deletion, slides 16, 17, 23, 24, 25
arXiv:2408.04870 →
03
Confirmed Disclosures & Industry Reports
First-party and researcher disclosures cited in this lesson
ConfusedPilot: UT Austin & Symmetry Systems Disclosure — November 2024Research Disclosure
Cloud Security Alliance · November 12, 2024 · Microsoft 365 Copilot and major RAG implementations
Cited for: ConfusedPilot attack details, Fortune 500 scope statement, slides 1, 16, 23, 24
CSA blog →
ConfusedPilot Attack Can Manipulate RAG-Based AI SystemsPress Coverage
Dark Reading · November 2024 · Independent verification of attack scope and mechanism
Cited for: Independent corroboration of ConfusedPilot scope, slide 16
Dark Reading →
04
Supplementary References
Supporting context and technical background
OWASP LLM08:2025 — Indusface Technical AnalysisTechnical Guide
Indusface · 2025 · Technical breakdown of attack vectors and mitigations
Cited for: Attack type taxonomy, stealthy retrieval attack characteristics, mitigation framing
Indusface guide →
OWASP LLM Top 10:2025 — Vector Encryption AnalysisTechnical Commentary
IronCore Labs · 2025 · Vector encryption feasibility and performance analysis
Cited for: Encryption at rest feasibility, minimal performance penalty claim, slide 22
IronCore Labs →
Built on the OWASP LLM Top 10:2025 framework under CC BY-SA 4.0.
Found an error or outdated link? Let us know.