Improper Validation of Generative AI Output

Incomplete Base

Structure: Simple

Description

This vulnerability occurs when an application uses a generative AI model (like an LLM) but fails to properly check the AI's output before using it. Without this validation, the AI's responses might contain security flaws, harmful content, or data leaks that violate the application's intended policies.

Extended Description

Generative AI models are powerful but unpredictable. They can be tricked into producing malicious code, biased decisions, offensive content, or sensitive training data. If your application blindly trusts and acts on these outputs, it can lead to injection attacks, compliance violations, or data breaches. You must implement robust validation checks—like content filtering, code sanitization, and policy enforcement—on every AI response before it's processed further. Continuously monitoring for these validation failures across all your AI-integrated services is a complex challenge. An ASPM platform like Plexicus can automatically detect these flaws in your runtime environment, while its AI-powered remediation provides specific fixes to harden your validation logic, ensuring your AI features remain secure and reliable.

Common Consequences 1

Scope: Integrity

Impact: Execute Unauthorized Code or CommandsVaries by Context

In an agent-oriented setting, output could be used to cause unpredictable agent invocation, i.e., to control or influence agents that might be invoked from the output. The impact varies depending on the access that is granted to the tools, such as creating a database or writing files.

Detection Methods 3

Dynamic Analysis with Manual Results Interpretation

Use known techniques for prompt injection and other attacks, and adjust the attacks to be more specific to the model or system.

Dynamic Analysis with Automated Results Interpretation

Use known techniques for prompt injection and other attacks, and adjust the attacks to be more specific to the model or system.

Architecture or Design Review

Review of the product design can be effective, but it works best in conjunction with dynamic analysis.

Potential Mitigations 4

Phase: Architecture and Design

Since the output from a generative AI component (such as an LLM) cannot be trusted, ensure that it operates in an untrusted or non-privileged space.

Phase: Operation

Use "semantic comparators," which are mechanisms that provide semantic comparison to identify objects that might appear different but are semantically similar.

Phase: Operation

Use components that operate externally to the system to monitor the output and act as a moderator. These components are called different terms, such as supervisors or guardrails.

Phase: Build and Compilation

During model training, use an appropriate variety of good and bad examples to guide preferred outputs.

Observed Examples 1

CVE-2024-3402chain: GUI for ChatGPT API performs input validation but does not properly "sanitize" or validate model output data (Improper Validation of Generative AI Output), leading to XSS (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')).

References 5

LLM02: Insecure Output Handling

OWASP

21-03-2024

https://genai.owasp.org/llmrisk/llm02-insecure-output-handling/(2024-07-11)

ID: REF-1441

Validating Outputs

Cohere and Guardrails AI

13-09-2023

https://cohere.com/blog/validating-llm-outputs(2024-07-11)

ID: REF-1442

NeMo Guardrails: A Toolkit for Controllable and Safe LLM Applications with Programmable Rails

Traian Rebedea, Razvan Dinu, Makesh Sreedhar, Christopher Parisien, and Jonathan Cohen

12-2023

https://aclanthology.org/2023.emnlp-demo.40/(2024-07-11)

ID: REF-1443

Insecure output handling in LLMs

Snyk

https://learn.snyk.io/lesson/insecure-input-handling/(2024-07-11)

ID: REF-1444

Building Guardrails for Large Language Models

Yi Dong, Ronghui Mu, Gaojie Jin, Yi Qi, Jinwei Hu, Xingyu Zhao, Jie Meng, Wenjie Ruan, and Xiaowei Huang

29-05-2024

https://arxiv.org/pdf/2402.01822(2024-07-11)

ID: REF-1445

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Technologies:

AI/ML : UndeterminedNot Technology-Specific : Undetermined

Modes of Introduction

Architecture and Design

Implementation

Related Weaknesses

ChildOf:

Improper Neutralization (CWE-707)

Notes

Research GapThis entry is related to AI/ML, which is not well understood from a weakness perspective. Typically, for new/emerging technologies including AI/ML, early vulnerability discovery and research does not focus on root cause analysis (i.e., weakness identification). For AI/ML, the recent focus has been on attacks and exploitation methods, technical impacts, and mitigations. As a result, closer research or focused efforts by SMEs is necessary to understand the underlying weaknesses. Diverse and dynamic terminology and rapidly-evolving technology further complicate understanding. Finally, there might not be enough real-world examples with sufficient details from which weakness patterns may be discovered. For example, many real-world vulnerabilities related to "prompt injection" appear to be related to typical injection-style attacks in which the only difference is that the "input" to the vulnerable component comes from model output instead of direct adversary input, similar to "second-order SQL injection" attacks.

MaintenanceThis entry was created by members of the CWE AI Working Group during June and July 2024. The CWE Project Lead, CWE Technical Lead, AI WG co-chairs, and many WG members decided that for purposes of timeliness, it would be more helpful to the CWE community to publish the new entry in CWE 4.15 quickly and add to it in subsequent versions.