Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Image-resampling prompt injection hidden in downscaled images

Technical Analysis
First reported
Last updated
Happening score
H score 31
1 unique sources, 1 articles

Summary

Hide ▲

Researchers demonstrated image-resampling prompt injection that can make hidden instructions surface after downscaling, creating a path to data leakage or unsafe tool actions in AI systems that process uploaded images.

Timeline

  1. 26.08.2025 00:34 1 articles · 9mo ago

    Image-resampling prompt injection is demonstrated across multiple AI surfaces

    Technical Analysis Update

    Trail of Bits researchers demonstrated a prompt-injection technique in which full-resolution images carry hidden instructions that emerge after downscaling with nearest neighbor, bilinear, or bicubic interpolation. The method was shown against Google Gemini CLI, Vertex AI Studio with the Gemini backend, Gemini's web interface, Gemini's API via the llm CLI, Google Assistant on an Android phone, and Genspark, and the team published Anamorpher in beta to generate images for these resampling methods.

    Show sources
    Open in new tab
  2. 26.08.2025 00:34 1 articles · 9mo ago

    Gemini CLI proof of concept exfiltrates Google Calendar data

    Victim Impact Update

    In a Gemini CLI proof of concept, hidden instructions embedded in a malicious image caused the model to exfiltrate Google Calendar data to an arbitrary email address while Zapier MCP with `trust=True` approved tool calls without user confirmation. The result showed that invisible image text can be merged with legitimate user input and drive unsafe actions in an agentic workflow.

    Show sources
    Open in new tab
  3. 26.08.2025 00:34 1 articles · 9mo ago

    Trail of Bits recommends upload limits, previews, and confirmation for image-based tool calls

    Mitigation Patch Update

    Trail of Bits advises AI systems to enforce image-dimension restrictions, show users the downscaled image that will be sent to the LLM, and require explicit confirmation for sensitive tool calls, especially when text is detected in an image. The guidance is intended to reduce prompt injection risk when preprocessing alters uploaded images before model execution.

    Show sources
    Open in new tab