CWE-1427: Improper Neutralization of Input Used for LLM Prompting

BaseIncomplete

The product uses externally-provided data to build prompts provided to large language models (LLMs), but the way these prompts are constructed causes the LLM to fail to distinguish between user-supplied inputs and developer provided system directives.

View on MITRE
Back to CWE Lookup

Extended Description

When prompts are constructed using externally controllable data, it is often possible to cause an LLM to ignore the original guidance provided by its creators (known as the "system prompt") by inserting malicious instructions in plain human language or using bypasses such as special characters or tags. Because LLMs are designed to treat all instructions as legitimate, there is often no way for the model to differentiate between what prompt language is malicious when it performs inference and returns data. Many LLM systems incorporate data from other adjacent products or external data sources like Wikipedia using API calls and retrieval augmented generation (RAG). Any external sources in use that may contain untrusted data should also be considered potentially malicious.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms
Not OS-Specific

Frequently Asked Questions

What is CWE-1427: Improper Neutralization of Input Used for LLM Prompting?+

CWE-1427: Improper Neutralization of Input Used for LLM Prompting is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses externally-provided data to build prompts provided to large language models (LLMs), but the way these prompts are constructed causes the LLM to fail to distinguish between user-supplied inputs and developer provided system directives. When prompts are constructed using externally controllable data, it is often possible to cause an LLM to ignore the original guidance provided by its creators (known as the "system prompt") by inserting malicious instructions in plain human language or using bypasses such as special characters or tags. Because LLMs are designed to treat all instructions as legitimate, there is often no way for the model to differentiate between what prompt language is malicious when it performs inference and returns data. Many LLM systems incorporate data from other adjacent products or external data sources like Wikipedia using API calls and retrieval augmented generation (RAG). Any external sources in use that may contain untrusted data should also be considered potentially malicious.

What are the security consequences of Improper Neutralization of Input Used for LLM Prompting?+

If exploited, CWE-1427 (Improper Neutralization of Input Used for LLM Prompting) it can compromise Confidentiality, Integrity, Availability and Access Control, leading to outcomes such as Execute Unauthorized Code or Commands, Varies by Context, Read Application Data, Modify Application Data and Gain Privileges or Assume Identity.

How do you prevent or mitigate Improper Neutralization of Input Used for LLM Prompting?+

Recommended mitigations for CWE-1427 include: LLM-enabled applications should be designed to ensure proper sanitization of user-controllable input, ensuring that no intentionally misleading or dangerous characters can be included. Additionally, they should be designed in a way that ensures that user-controllable input is identified as untrusted and potentially dangerous. LLM prompts should be constructed in a way that effectively differentiates between user-supplied input and developer-constructed system prompting to reduce the chance of model confusion at inference-time. LLM-enabled applications should be designed to ensure proper sanitization of user-controllable input, ensuring that no intentionally misleading or dangerous characters can be included. Additionally, they should be designed in a way that ensures that user-controllable input is identified as untrusted and potentially dangerous.

How is Improper Neutralization of Input Used for LLM Prompting detected?+

CWE-1427 can be detected using Dynamic Analysis with Manual Results Interpretation, Dynamic Analysis with Automated Results Interpretation and Architecture or Design Review. Combining automated tooling with manual review typically yields the best coverage.

Which programming languages are affected by Improper Neutralization of Input Used for LLM Prompting?+

CWE-1427 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Improper Neutralization of Input Used for LLM Prompting?+

MITRE documents real CVEs mapped to CWE-1427, including CVE-2023-32786, CVE-2024-5184 and CVE-2024-5565. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1427 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More