Invisible Prompts, Visible Threats: Malicious Font Injection in External Resources for Large Language Models

Junjie Xiong; Changjia Zhu; Shuhang Lin; Chong Zhang; Yongfeng Zhang; Yao Liu; Lingyao Li

Invisible Prompts, Visible Threats: Malicious Font Injection in External Resources for Large Language Models

Junjie Xiong^*, Changjia Zhu, Shuhang Lin, Chong Zhang, Yongfeng Zhang, Yao Liu^*, Lingyao Li^*

^*Corresponding author for this work

School of Advanced Technology

Research output: Contribution to journal › Conference article

1 Downloads (Pure)

Abstract

Large Language Models (LLMs) are increasingly equipped with capabilities of real-time web search and integrated with protocols like Model Context Protocol (MCP). This extension could introduce new security vulnerabilities. We present a systematic investigation of LLM vulnerabilities to hidden adversarial prompts through malicious font injection in external resources like webpages, where attackers manipulate code-to-glyph mapping to inject deceptive content which are invisible to users. We evaluate two critical attack scenarios: (1) "malicious content relay" and (2) "sensitive data leakage" through MCP-enabled tools. Our experiments reveal that indirect prompts with injected malicious font can bypass LLM safety mechanisms through external resources, achieving varying success rates based on data sensitivity and prompt design. Our research underscores the urgent need for enhanced security measures in LLM deployments when processing external content.

Original language	English
Article number	1
Pages (from-to)	1-14
Number of pages	14
Journal	arXiv
Volume	2505
Issue number	16957
Publication status	Published - 22 May 2025

Access to Document

Invisible Prompts, Visible Threats: Malicious Font Injection in External Resources for Large Language ModelsSubmitted manuscript, 1.72 MBLicence: CC BY

Cite this

@article{17b3dc456edc46c499dfcc52a77f4393,

title = "Invisible Prompts, Visible Threats: Malicious Font Injection in External Resources for Large Language Models",

abstract = "Large Language Models (LLMs) are increasingly equipped with capabilities of real-time web search and integrated with protocols like Model Context Protocol (MCP). This extension could introduce new security vulnerabilities. We present a systematic investigation of LLM vulnerabilities to hidden adversarial prompts through malicious font injection in external resources like webpages, where attackers manipulate code-to-glyph mapping to inject deceptive content which are invisible to users. We evaluate two critical attack scenarios: (1) {"}malicious content relay{"} and (2) {"}sensitive data leakage{"} through MCP-enabled tools. Our experiments reveal that indirect prompts with injected malicious font can bypass LLM safety mechanisms through external resources, achieving varying success rates based on data sensitivity and prompt design. Our research underscores the urgent need for enhanced security measures in LLM deployments when processing external content.",

author = "Junjie Xiong and Changjia Zhu and Shuhang Lin and Chong Zhang and Yongfeng Zhang and Yao Liu and Lingyao Li",

year = "2025",

month = may,

day = "22",

language = "English",

volume = "2505",

pages = "1--14",

journal = "arXiv",

number = "16957",

}

TY - JOUR

T1 - Invisible Prompts, Visible Threats: Malicious Font Injection in External Resources for Large Language Models

AU - Xiong, Junjie

AU - Zhu, Changjia

AU - Lin, Shuhang

AU - Zhang, Chong

AU - Zhang, Yongfeng

AU - Liu, Yao

AU - Li, Lingyao

PY - 2025/5/22

Y1 - 2025/5/22

N2 - Large Language Models (LLMs) are increasingly equipped with capabilities of real-time web search and integrated with protocols like Model Context Protocol (MCP). This extension could introduce new security vulnerabilities. We present a systematic investigation of LLM vulnerabilities to hidden adversarial prompts through malicious font injection in external resources like webpages, where attackers manipulate code-to-glyph mapping to inject deceptive content which are invisible to users. We evaluate two critical attack scenarios: (1) "malicious content relay" and (2) "sensitive data leakage" through MCP-enabled tools. Our experiments reveal that indirect prompts with injected malicious font can bypass LLM safety mechanisms through external resources, achieving varying success rates based on data sensitivity and prompt design. Our research underscores the urgent need for enhanced security measures in LLM deployments when processing external content.

AB - Large Language Models (LLMs) are increasingly equipped with capabilities of real-time web search and integrated with protocols like Model Context Protocol (MCP). This extension could introduce new security vulnerabilities. We present a systematic investigation of LLM vulnerabilities to hidden adversarial prompts through malicious font injection in external resources like webpages, where attackers manipulate code-to-glyph mapping to inject deceptive content which are invisible to users. We evaluate two critical attack scenarios: (1) "malicious content relay" and (2) "sensitive data leakage" through MCP-enabled tools. Our experiments reveal that indirect prompts with injected malicious font can bypass LLM safety mechanisms through external resources, achieving varying success rates based on data sensitivity and prompt design. Our research underscores the urgent need for enhanced security measures in LLM deployments when processing external content.

M3 - Conference article

VL - 2505

SP - 1

EP - 14

JO - arXiv

JF - arXiv

IS - 16957

M1 - 1

ER -