← Back to Library

QueryIPI: Query-agnostic Indirect Prompt Injection on Coding Agents

Authors: Yuchong Xie, Zesen Liu, Mingyu Luo, Zhixiang Zhang, Kaikai Zhang, Zongjie Li, Ping Chen, Shuai Wang, Dongdong She

Published: 2025-10-27

arXiv ID: 2510.23675v1

Added to Library: 2025-11-11 14:28 UTC

Red Teaming

📄 Abstract

Modern coding agents integrated into IDEs combine powerful tools and system-level actions, exposing a high-stakes attack surface. Existing Indirect Prompt Injection (IPI) studies focus mainly on query-specific behaviors, leading to unstable attacks with lower success rates. We identify a more severe, query-agnostic threat that remains effective across diverse user inputs. This challenge can be overcome by exploiting a common vulnerability: leakage of the agent's internal prompt, which turns the attack into a constrained white-box optimization problem. We present QueryIPI, the first query-agnostic IPI method for coding agents. QueryIPI refines malicious tool descriptions through an iterative, prompt-based process informed by the leaked internal prompt. Experiments on five simulated agents show that QueryIPI achieves up to 87 percent success, outperforming baselines, and the generated malicious descriptions also transfer to real-world systems, highlighting a practical security risk to modern LLM-based coding agents.

🔍 Key Points

  • Introduction of QueryIPI as the first query-agnostic Indirect Prompt Injection method tailored for coding agents.
  • Demonstration of QueryIPI's efficacy with success rates reaching up to 87% in simulated environments, surpassing traditional query-specific methods.
  • Illustration of the practical transferability of malicious tool descriptions generated by QueryIPI to real-world coding agents, highlighting severe security risks.
  • Methodology that exploits leaked internal prompts to optimize attack strategies, changing the attack paradigm from black-box to white-box optimization.
  • Comprehensive evaluation against a variety of defense strategies, proving the stealth and resilience of the QueryIPI method.

💡 Why This Paper Matters

This paper presents a critical advancement in understanding vulnerabilities in coding agents integrated into IDEs by introducing a novel attack method, QueryIPI. The significance lies in its ability to perform query-agnostic Indirect Prompt Injection, demonstrating a high level of success and practicality in attacking real-world systems without being contingent on specific user queries. Such insights are vital for enhancing the security of AI-driven tools in software development, suggesting the necessity for improved safeguarding measures.

🎯 Why It's Interesting for AI Security Researchers

This paper would be of considerable interest to AI security researchers because it unveils a new class of vulnerability in coding agents that can be exploited regardless of the user query content. Its implications notify researchers of the urgent need for robust defenses against such sophisticated attacks, thus guiding future research directions. The findings indicate an evolving threat landscape where traditional defenses may fall short, prompting the exploration of new security frameworks to protect AI systems.

📚 Read the Full Paper

📄 View on arXiv