mediumexperimentalLinuxAI/MLT1005

LLM Service Reading User-Supplied Files From Temp Or Upload Paths

Detects LLM service processes accessing files under temporary or upload directories. Attackers can plant malicious content in these paths to deliver indirect prompt injections via document ingestion.

Updated Jan 15, 2025 · Detection Engineering Team

llmprompt-injectionlinuxfile-accessowasp-llm01

Problem Statement

LLM services that read user-supplied documents from staging paths are vulnerable to indirect prompt injection. Malicious content embedded in uploaded files can hijack model behaviour.

Sample Logs

{"timestamp":"2025-01-15T14:33:11Z","computer_name":"llm-host-01","user":"llm_svc","image":"/opt/llm/app/rag_ingest.py","target_filename":"/tmp/gradio/upload_abc123/document.pdf","access_type":"read"}

Required Fields

image

target_filename

user

computer_name

False Positives

·Legitimate document ingestion pipelines that stage files in /tmp before processing
·Gradio or Streamlit demo apps with intentional upload directories

Tuning Guidance

Scope to file extensions associated with document ingestion (.pdf, .txt, .docx, .md). Exclude known automated pipeline service accounts.