LLM4Shell - Discovering and Exploiting RCE Vulnerabilities in LLM-Integrated Frameworks

Explore the critical security risks associated with integrating Large Language Models (LLMs) into applications through frameworks like LangChain and LlamaIndex in this 36-minute Black Hat conference talk. Dive deep into the causes of Remote Code Execution (RCE) vulnerabilities, termed LLM4Shell, within LLM-Integrated frameworks. Discover the findings of a systematic investigation that uncovered 15 critical vulnerabilities across 8 popular frameworks, with 13 confirmed by developers and 9 CVE IDs assigned. Examine the exploitation of 51 LLM-Integrated applications, including 16 with RCE vulnerabilities and one susceptible to SQL injection. Learn about the automated prompt-based exploitation method and its real-world implications, from data theft to DoS and phishing attacks. Gain actionable insights and potential mitigations to secure LLM-Integrated frameworks and applications against these emerging threats.

LLM4Shell: Discovering and Exploiting RCE Vulnerabilities in Real-World LLM-Integrated Frameworks