Invisible Prompts, Visible Threats: Malicious Font Injection in External Resources for Large Language Models

Junjie Xiong; Changjia Zhu; Shuhang Lin; Chong Zhang; Yongfeng Zhang; Yao Liu; Lingyao Li

Invisible Prompts, Visible Threats: Malicious Font Injection in External Resources for Large Language Models

Junjie Xiong^*, Changjia Zhu, Shuhang Lin, Chong Zhang, Yongfeng Zhang, Yao Liu^*, Lingyao Li^*

^*Corresponding author for this work

School of Advanced Technology

Research output: Chapter in Book or Report/Conference proceeding › Conference Proceeding › peer-review

373 Downloads (Pure)

Abstract

Large Language Models (LLMs) are increasingly equipped with capabilities of real-time web search and integrated with protocols like Model Context Protocol (MCP). This extension could introduce new security vulnerabilities. We present a systematic investigation of LLM vulnerabilities to hidden adversarial prompts through malicious font injection in external resources like webpages, where attackers manipulate code-to-glyph mapping to inject deceptive content which are invisible to users. We evaluate two critical attack scenarios: (1) "malicious content relay" and (2) "sensitive data leakage" through MCP-enabled tools. Our experiments reveal that indirect prompts with injected malicious font can bypass LLM safety mechanisms through external resources, achieving varying success rates based on data sensitivity and prompt design. Our research underscores the urgent need for enhanced security measures in LLM deployments when processing external content.

Original language	English
Title of host publication	The 2025 Conference on Empirical Methods in Natural Language Processing
Subtitle of host publication	EMNLP 2025
Editors	Christos Christodoulopoulos, Tanmoy Chakraborty, Carolyn Rose, Violet Peng
Place of Publication	Suzhou, China
Publisher	Association for Computational Linguistics (ACL)
Chapter	2025.findings-emnlp
Pages	7133-7147
Number of pages	14
Volume	2505
Edition	16957
Publication status	Published - 3 Nov 2025
Event	The Conference on Empirical Methods in Natural Language Processing 2025: EMNLP - Suzhou International Expo Center, Suzhou, China, Suzhou, China Duration: 5 Nov 2025 → 9 Nov 2025 https://2025.emnlp.org/

Publication series

Name	Association for Computational Linguistics

Conference

Conference	The Conference on Empirical Methods in Natural Language Processing 2025
Country/Territory	China
City	Suzhou
Period	5/11/25 → 9/11/25
Internet address	https://2025.emnlp.org/

Access to Document

2025.findings-emnlp.376Final published version, 1.71 MBLicence: CC BY

Cite this

Xiong, J., Zhu, C., Lin, S., Zhang, C., Zhang, Y., Liu, Y., & Li, L. (2025). Invisible Prompts, Visible Threats: Malicious Font Injection in External Resources for Large Language Models. In C. Christodoulopoulos, T. Chakraborty, C. Rose, & V. Peng (Eds.), The 2025 Conference on Empirical Methods in Natural Language Processing: EMNLP 2025 (16957 ed., Vol. 2505, pp. 7133-7147). Article 376 (Association for Computational Linguistics). Association for Computational Linguistics (ACL).

Xiong, Junjie ; Zhu, Changjia ; Lin, Shuhang et al. / Invisible Prompts, Visible Threats: Malicious Font Injection in External Resources for Large Language Models. The 2025 Conference on Empirical Methods in Natural Language Processing: EMNLP 2025. editor / Christos Christodoulopoulos ; Tanmoy Chakraborty ; Carolyn Rose ; Violet Peng. Vol. 2505 16957. ed. Suzhou, China : Association for Computational Linguistics (ACL), 2025. pp. 7133-7147 (Association for Computational Linguistics).

@inproceedings{17b3dc456edc46c499dfcc52a77f4393,

title = "Invisible Prompts, Visible Threats: Malicious Font Injection in External Resources for Large Language Models",

abstract = "Large Language Models (LLMs) are increasingly equipped with capabilities of real-time web search and integrated with protocols like Model Context Protocol (MCP). This extension could introduce new security vulnerabilities. We present a systematic investigation of LLM vulnerabilities to hidden adversarial prompts through malicious font injection in external resources like webpages, where attackers manipulate code-to-glyph mapping to inject deceptive content which are invisible to users. We evaluate two critical attack scenarios: (1) {"}malicious content relay{"} and (2) {"}sensitive data leakage{"} through MCP-enabled tools. Our experiments reveal that indirect prompts with injected malicious font can bypass LLM safety mechanisms through external resources, achieving varying success rates based on data sensitivity and prompt design. Our research underscores the urgent need for enhanced security measures in LLM deployments when processing external content.",

author = "Junjie Xiong and Changjia Zhu and Shuhang Lin and Chong Zhang and Yongfeng Zhang and Yao Liu and Lingyao Li",

year = "2025",

month = nov,

day = "3",

language = "English",

volume = "2505",

series = "Association for Computational Linguistics",

publisher = "Association for Computational Linguistics (ACL)",

pages = "7133--7147",

editor = "Christodoulopoulos, \{Christos \} and Chakraborty, \{ Tanmoy \} and Carolyn Rose and Violet Peng",

booktitle = "The 2025 Conference on Empirical Methods in Natural Language Processing",

edition = "16957",

note = "The Conference on Empirical Methods in Natural Language Processing 2025 : EMNLP ; Conference date: 05-11-2025 Through 09-11-2025",

url = "https://2025.emnlp.org/",

}

Xiong, J, Zhu, C, Lin, S, Zhang, C, Zhang, Y, Liu, Y & Li, L 2025, Invisible Prompts, Visible Threats: Malicious Font Injection in External Resources for Large Language Models. in C Christodoulopoulos, T Chakraborty, C Rose & V Peng (eds), The 2025 Conference on Empirical Methods in Natural Language Processing: EMNLP 2025. 16957 edn, vol. 2505, 376, Association for Computational Linguistics, Association for Computational Linguistics (ACL), Suzhou, China, pp. 7133-7147, The Conference on Empirical Methods in Natural Language Processing 2025, Suzhou, China, 5/11/25.

Invisible Prompts, Visible Threats: Malicious Font Injection in External Resources for Large Language Models. / Xiong, Junjie; Zhu, Changjia; Lin, Shuhang et al.
The 2025 Conference on Empirical Methods in Natural Language Processing: EMNLP 2025. ed. / Christos Christodoulopoulos; Tanmoy Chakraborty; Carolyn Rose; Violet Peng. Vol. 2505 16957. ed. Suzhou, China: Association for Computational Linguistics (ACL), 2025. p. 7133-7147 376 (Association for Computational Linguistics).

Research output: Chapter in Book or Report/Conference proceeding › Conference Proceeding › peer-review

TY - GEN

T1 - Invisible Prompts, Visible Threats: Malicious Font Injection in External Resources for Large Language Models

AU - Xiong, Junjie

AU - Zhu, Changjia

AU - Lin, Shuhang

AU - Zhang, Chong

AU - Zhang, Yongfeng

AU - Liu, Yao

AU - Li, Lingyao

PY - 2025/11/3

Y1 - 2025/11/3

N2 - Large Language Models (LLMs) are increasingly equipped with capabilities of real-time web search and integrated with protocols like Model Context Protocol (MCP). This extension could introduce new security vulnerabilities. We present a systematic investigation of LLM vulnerabilities to hidden adversarial prompts through malicious font injection in external resources like webpages, where attackers manipulate code-to-glyph mapping to inject deceptive content which are invisible to users. We evaluate two critical attack scenarios: (1) "malicious content relay" and (2) "sensitive data leakage" through MCP-enabled tools. Our experiments reveal that indirect prompts with injected malicious font can bypass LLM safety mechanisms through external resources, achieving varying success rates based on data sensitivity and prompt design. Our research underscores the urgent need for enhanced security measures in LLM deployments when processing external content.

AB - Large Language Models (LLMs) are increasingly equipped with capabilities of real-time web search and integrated with protocols like Model Context Protocol (MCP). This extension could introduce new security vulnerabilities. We present a systematic investigation of LLM vulnerabilities to hidden adversarial prompts through malicious font injection in external resources like webpages, where attackers manipulate code-to-glyph mapping to inject deceptive content which are invisible to users. We evaluate two critical attack scenarios: (1) "malicious content relay" and (2) "sensitive data leakage" through MCP-enabled tools. Our experiments reveal that indirect prompts with injected malicious font can bypass LLM safety mechanisms through external resources, achieving varying success rates based on data sensitivity and prompt design. Our research underscores the urgent need for enhanced security measures in LLM deployments when processing external content.

UR - https://aclanthology.org/2025.findings-emnlp.376/

M3 - Conference Proceeding

VL - 2505

T3 - Association for Computational Linguistics

SP - 7133

EP - 7147

BT - The 2025 Conference on Empirical Methods in Natural Language Processing

A2 - Christodoulopoulos, Christos

A2 - Chakraborty, Tanmoy

A2 - Rose, Carolyn

A2 - Peng, Violet

PB - Association for Computational Linguistics (ACL)

CY - Suzhou, China

T2 - The Conference on Empirical Methods in Natural Language Processing 2025

Y2 - 5 November 2025 through 9 November 2025

ER -

Xiong J, Zhu C, Lin S, Zhang C, Zhang Y, Liu Y et al. Invisible Prompts, Visible Threats: Malicious Font Injection in External Resources for Large Language Models. In Christodoulopoulos C, Chakraborty T, Rose C, Peng V, editors, The 2025 Conference on Empirical Methods in Natural Language Processing: EMNLP 2025. 16957 ed. Vol. 2505. Suzhou, China: Association for Computational Linguistics (ACL). 2025. p. 7133-7147. 376. (Association for Computational Linguistics).

Invisible Prompts, Visible Threats: Malicious Font Injection in External Resources for Large Language Models

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this