LLM08 · OWASP LLM Top 10 (2025)

Vector and Embedding Weaknesses

RAG put vector databases everywhere. Most teams trust their similarity-search results without realising they are a wide-open attack surface — for retrieval hijack, embedding inversion, and tenant boundary failures.

01What it is

Risks arising from embedding generation, storage, retrieval, and re-use. Includes embedding-inversion attacks (reconstruct text from embeddings), retrieval hijack (craft documents that always rank highly), cross-tenant leakage, and embedding-space adversarial perturbations.

02Why it matters

A poisoned chunk in the vector store is worse than a poisoned email. Every relevant query retrieves it; the LLM treats it as ground truth. Embedding inversion has progressed from theoretical to demonstrable — full text recovery from embeddings of sensitive documents is now feasible. Most production RAG systems have no defences.

03Attack vectors

  • Retrieval hijack — craft a document with embedding close to common queries; it dominates retrieval.
  • Embedding inversion — given an embedding, recover the source text (e.g., via vec2text).
  • Cross-tenant leak — filtering tenant_id AFTER similarity search instead of BEFORE.
  • Index poisoning — flood the store with adversarial documents to push legitimate ones out.
  • Adversarial perturbation — small text changes that drastically shift embeddings.
  • Embedding model swap — re-embed with a different model; existing vectors become meaningless but get returned anyway.

04Defence patterns

  • Apply tenant + access filters BEFORE the ANN search, via metadata pre-filtering.
  • Treat embeddings as sensitive data — encrypt at rest, restrict access, audit retrieval.
  • Hybrid retrieval (BM25 + dense) makes pure embedding-space attacks harder.
  • Reranker as a sanity check — does the top result genuinely answer the question?
  • Quarantine new chunks — never ingest user uploads directly into the live index.
  • Pin embedding model versions; re-embed deliberately on upgrade.

05Detection

Signals to watch

Audit retrieval — sample queries and verify returned chunks belong to the right tenant. Log the top-k chunks for every query; alert on retrieval that contradicts known-good answers. Watch for adversarial uploads (high embedding similarity to common queries).

06India context

DPDP · RBI · CERT-In

DPDP processor obligations apply to embeddings of personal data — they are processed personal data, not just numbers. Cross-tenant leakage in a B2B AI tool serving multiple Indian businesses can trigger separate breach notifications per tenant.

08Related modules on RingSafe

RAG Security — Vector Store Leaks, Retrieval Hijacks, Embedding Inversion RAG Security

09Further reading

OWASP LLM08:2025 — Vector and Embedding Weaknesses vec2text — text recovery from embeddings
All OWASP LLM items →

Want to build AI safely?

Browse the AI Security track Talk to the team