Why it matters

JSON is common in LLM apps. Understanding injection prevents subtle exploits.

Advertisement

The architecture

Field injection: attacker includes extra fields designed to be interpreted as instructions.

Escape breakout: bad escaping lets attacker end string, add new field, reopen.

JSON injectionAttacker JSONin tool responseLLM parsessees attacker fieldsWrong interpretationor actionValidate JSON schema strictly; don't trust field contents even in valid JSON
JSON injection paths.
Advertisement

How it works end to end

Nested content: legitimate JSON with malicious string values that LLM interprets as instructions.

Defenses: validate schema strictly. Escape values before including in prompts. Treat string values as untrusted user input.