AI Agents Vulnerable to Data Injection
A new research paper details how 'probabilistic delimiter injection' allows attackers to bypass AI safety guards with fake data.
When an AI agent is instructed to summarize a product page or apply a repository fix, the security of the operation typically hinges on the model's ability to distinguish between verified instructions and external content. Recent research suggests that this fundamental separation is failing, as a new class of vulnerability known as agent data injection (ADI) allows malicious actors to manipulate an agent's logic without ever triggering traditional prompt-injection defenses.
The Mechanics of Probabilistic Delimiter Injection
The core of the ADI attack lies in how large language models interpret structural punctuation. Agents rely on specific markers—such as quotes, braces, tags, or line breaks—to compartmentalize information, separating trusted fields like sender identities or tool results from untrusted input like message bodies. While traditional software follows rigid parsing rules, language models operate on probabilistic guesswork.
By injecting fake punctuation characters into fields they control, attackers can trick a model into hallucinating structure that does not exist. The researchers discovered that this method remains effective even with imprecise characters, such as escaped quotes or curly brackets, which a strict parser would identify as mere text but an AI model interprets as structural commands. This allows an attacker to effectively fabricate email metadata, button identifiers, or tool execution records.
Quantifiable Security Gaps
Testing across various models and platforms revealed a consistent vulnerability to these manipulation tactics:
- Models tested include OpenAI's GPT-5.2 and GPT-5-mini, Anthropic's Claude Opus 4.5 and Sonnet 4.5, and Google's Gemini 3 Pro and Flash.
- The attack succeeded on structured data 31% to 43% of the time across all six models.
- When tested against purpose-built agent defenses, the success rate for ADI reached up to 50%, compared to a near-zero success rate for classic instruction-smuggling attacks.
- Implementing random, unguessable tags for page elements, as seen in ChatGPT's Atlas browser, halved the success rate of click-based attacks from approximately 49% to 29%.
Forging Trust in Automated Workflows
The researchers demonstrated how these attacks manifest in real-world scenarios, particularly within web agents and coding assistants. By manipulating IDs, an attacker can cause a web agent to click a 'Buy Now' button instead of the intended 'Read More' link. In development environments, an attacker can forge an author line in a GitHub comment, appearing as a project maintainer to trick an agent into executing unauthorized commands on a developer's machine.
OpenAI, Google, and Anthropic have all confirmed the attack is valid, and OpenAI and Google asked for a copy of the paper. We have not been informed of any fix, whether shipped or planned.
— Woohyuk Choi, who wrote the paper posted July 6 with Prof. Byoungyoung Lee
The Challenge of Remediation
While some mitigations, such as data provenance tracking or stripping punctuation, have shown promise in laboratory settings, they often impose severe performance costs or break essential agent functionality. Current defenses are largely optimized to detect 'instruction injection,' where an attacker attempts to override the model's task directly. ADI, by contrast, operates under the guise of legitimate data, exploiting the model's trust in its own memory and input history.
As AI agents become increasingly integrated into software supply chains, the risk posed by these vulnerabilities expands. Previous incidents, such as EchoLeak and methods to steer an agent into reading a private repository and leaking it, highlight a persistent trend: systems struggle to maintain a clear boundary between trusted internal state and user-supplied data. For businesses and developers, the primary takeaway is that user-approval prompts are insufficient when the reasoning behind those prompts is built upon a foundation of fabricated facts.
Continue Reading
The AI Attack Surface of Executives
Modern AI tools have collapsed reconnaissance time for social engineering, turning executive public profiles into critical security risks.
Twig Template Engine Vulnerability Allows Sandbox Policy Bypass
A critical vulnerability in Twig versions 3.9.0 through 3.25.0 allows sandboxed templates to bypass security policy enforcement.
Critical PHP Injection Vulnerability Patched in Twig Template Engine
A critical vulnerability in Twig versions prior to 3.26.0 allows attackers to inject arbitrary PHP code via crafted template names in {% use %} tags.