OWASP LLM03:2025 Training Data Poisoning — multimodal dataset attack surface

What LLM03:2025 covers beyond foundational-model pre-training

The "training data" in OWASP LLM03:2025 is a broader category than the weight-update data a GPU cluster consumes during pre-training. The OWASP category covers any data that shapes LLM application behaviour — which in deployed systems includes fine-tuning datasets, alignment datasets, retrieval corpora, and the few-shot examples embedded in system prompts. The 2025 revision of LLM03 reflects this expanded scope: an organisation that uses a retrieval-augmented generation pipeline has a training data attack surface in the RAG corpus that is as material to its security posture as the fine-tuning data a model was adapted on.

The three principal LLM03 attack vectors in production deployments map as follows. The first is foundational pre-training poisoning: an adversary contributes malicious content to a public dataset (web crawl, code corpus, instruction-following set) that the model vendor uses during pre-training. This vector is largely outside the control of AI application developers — it concerns model selection and supply chain due diligence rather than application-layer controls. The second is fine-tuning and alignment data poisoning: an organisation assembles a proprietary dataset from internal documents, user interactions, or third-party data feeds and uses it to adapt a foundation model for their specific task. Adversarial content introduced at this stage influences the model's learned behaviour in ways that survive deployment. The third is retrieval corpus poisoning: documents are ingested into a vector store or search index that a RAG pipeline queries at inference time. Adversarial content introduced into the corpus is retrieved and presented to the model as trusted context, influencing inference-time output without any direct user injection in the current conversation.

For text-only LLM applications, text-side data validators cover vectors two and three: a text PI scanner applied during dataset ingestion can inspect the text content of documents and training examples for adversarial instructions. For multimodal applications — including chatbots with image upload, document-reading agents, avatar SaaS products, and voice agents that process image-bearing attachments — the same pipeline has a multimodal gap that text validators do not close and that LLM03:2025's dataset security requirement squarely covers.

The multimodal attack surface in RAG retrieval corpora

A retrieval-augmented generation pipeline ingests documents from internal and external sources — policy PDFs, technical manuals, support articles, slide decks, research papers, customer contracts — and indexes their content for retrieval at query time. Modern enterprise knowledge bases contain heavily heterogeneous document types, and a significant fraction of those documents contain embedded images: figures and diagrams in technical PDFs, screenshots in support articles, tables rendered as images in PPTX exports, photographs in policy documents, charts in financial reports.

Standard RAG ingestion pipelines — including the most widely deployed implementations in LangChain, LlamaIndex, and Haystack — process document content at the text layer. A PDF loader extracts text from each page and splits it into chunks; embedded images on those pages are either discarded, extracted separately as binary files without content inspection, or passed to an optional image captioning step that produces a text description for indexing. In none of these paths does a text PI scanner see the raw pixel content of the embedded image. The scanner receives text — either the extracted text surrounding the image or an OCR- or caption-derived text representation — not the image bytes themselves.

The LLM03 attack exploits this gap. An adversary who can introduce a document into the retrieval corpus — by uploading a malicious PDF to a shared knowledge base, by poisoning a third-party data feed the pipeline subscribes to, or by manipulating a web page that a crawler ingests — can embed an adversarial instruction in an image layer of that document. The image renders normally to a human reviewer: it looks like a legitimate figure or diagram. The text extracted by the PDF loader is clean. A text PI scanner applied to the ingested chunks scores them low. The document enters the corpus without triggering any control.

At inference time, a user query causes the retrieval system to surface the poisoned document. The retrieved chunk — including the embedded image or an image reference in the multimodal payload — is presented to the model alongside the user's question. The vision encoder processes the image bytes, reads the adversarial instruction embedded in the pixel layer, and executes it. The attack is complete. The user's text prompt contained nothing adversarial; every text-side inference-time control sees a clean query and clean text context. The payload was delivered through the image layer of a document that entered the corpus at ingestion time, days or weeks before the inference request that triggered it.

This is the canonical LLM03 indirect poisoning scenario for multimodal RAG: the attack happens at ingestion time, the effect is at inference time, and the persistence is indefinite — every subsequent retrieval that surfaces the poisoned document delivers the payload fresh. For a discussion of the inference-time image PI vector in RAG pipelines, see the RAG pipeline prompt-injection scanner page, which covers the inference-time complement to the pre-ingestion control described here.

The multimodal attack surface in fine-tuning datasets

Organizations that fine-tune or instruction-tune multimodal foundation models on proprietary datasets face the second LLM03 vector. Fine-tuning datasets for multimodal models consist of image-text pairs: images paired with captions, instructions, question-answer pairs, or preference labels. The image content is what the fine-tuned model learns to reason about; the text annotations guide the learning objective.

Text-only data validation applied to a fine-tuning dataset inspects the text annotation side of each pair. A text PI scanner run over the instruction column or the response column of the training set will flag text annotations that contain adversarial instructions. It will not inspect the image content of each image-text pair. An adversarial trigger — a specific pattern of pixels that causes the fine-tuned model to emit a target output, an embedded instruction rendered as typography in the image — present in a training image will survive text-only validation and enter the model's training pass. The model learns an association between the pixel trigger and the desired output; in production, the trigger can be included in any user-submitted image to reliably elicit the trained adversarial response.

The attack classes relevant here are the same as in the inference-time context — FigStep-style typographic triggers, adversarial perturbations that exploit the vision encoder's learned features, steganographic payloads — but the threat model differs from inference-time PI. At inference time, the attacker needs to get a malicious image in front of the model in the current conversation. In the fine-tuning poisoning scenario, the attacker needs to get a malicious image into the training dataset, after which the attack is baked into the model's learned weights and does not require any per-request image delivery. The persistent capability is worth more to an attacker and is harder to remediate: removing the poisoning effect requires re-identifying the poisoned training examples and retraining or further-fine-tuning to overwrite the learned association.

Practical fine-tuning dataset sources that carry this risk include: user-generated content used for instruction following (avatar SaaS products that fine-tune on user-submitted selfies and preference labels; document understanding models fine-tuned on scanned contracts submitted by customers); third-party image datasets assembled from web crawls or image-sharing platforms; PDF corpora used for document understanding fine-tuning; and synthetic image-text pairs generated by other multimodal models that may themselves have been fine-tuned on poisoned data. For product types whose ingestion patterns are covered by other pages in this cluster, see prompt injection for avatar SaaS and for chatbots with image upload.

Why text validators and OCR-before-scan cannot close the multimodal LLM03 gap

The two most common responses to the multimodal dataset validation gap are to run a text PI scanner over the text layer of each ingested document and to insert an OCR step before the text scanner to extract text from embedded images before scanning. Neither closes the LLM03 multimodal gap. The reasons are architectural and parallel the LLM01 inference-time OCR argument, applied to the dataset-ingestion context.

The text validator limitation is straightforward: a text PI scanner receives text strings. In a RAG ingestion pipeline, text strings come from the text extraction layer of the document loader. The document loader extracts the text layer of a PDF page — the characters encoded in the PDF's content stream — and discards or separately handles the binary image objects embedded in that page. The text PI scanner never receives image bytes. Even if an attacker embeds an adversarial instruction as rendered typography in an image, that content is not in the text extraction output unless OCR is run. The text scanner has no coverage path to the pixel content of embedded images.

The OCR limitation is more subtle. Running Tesseract or an equivalent OCR engine over embedded images produces a text transcript of the visible characters in those images. A text PI scanner applied to the OCR transcript provides partial coverage: it catches adversarial instructions that are rendered clearly enough for OCR to transcribe accurately. The FigStep and AgentTypo attack families are specifically designed to defeat this pipeline. They render adversarial instructions using anti-OCR fonts, adversarial glyph distortions, Unicode confusable characters, or rendering techniques that exploit the gap between what a neural vision encoder reads from pixel values and what an OCR character recognition system extracts from the same image. A FigStep-class payload produces a clean or misleading OCR transcript while the vision encoder reads the embedded instruction directly from the pixel layer. The OCR transcript scan scores the image as clean; the image enters the corpus or training set; the vision encoder processes the payload at inference or training time.

The structural ceiling here is the same as at inference time: OCR is a character recognition system that extracts a text representation of image content. It is not an adversarial payload detector. It does not inspect the image bytes for adversarial-instruction patterns. It does not model what a neural vision encoder will see when it processes the same pixel values. A scanner that inspects the image bytes directly — against a curated corpus of known-malicious multimodal payloads — is the only control architecture that closes the gap. For the detailed technical argument on the OCR structural ceiling, see Why every text-only prompt-injection scanner misses a 30-pixel PNG and FigStep detection.

Coverage matrix against the LLM03:2025 multimodal evidence requirement

Mapping the self-serve prompt-injection scanner landscape to the LLM03:2025 dataset poisoning evidence requirement for multimodal AI systems produces a gap that runs uniformly across all text-only tools.

Three clarifications apply. First, Azure Prompt Shields' image analysis covers content moderation categories — violence, CSAM, hate speech — not prompt-injection payload detection. A content moderation "no harmful content" result for an embedded PDF image does not constitute LLM03 dataset validation for adversarial-instruction payloads; the two functions have different threat models. The Azure Prompt Shields comparison page covers this distinction. Second, Promptfoo is a pre-deployment evaluation harness that tests model behaviour against adversarial probe sets. It is not designed to serve as a dataset ingestion gate that scans documents before they enter a retrieval corpus; its test records are CI artefacts, not per-document dataset provenance records. Third, Lakera Guard was acquired by Check Point in 2025 and is moving upmarket; the Lakera alternative page tracks the practical availability implications. For RAG pipelines already using LLM Guard on the text path, the run-both pattern is the recommended addition; see LLM Guard alternative (multimodal).

Five-step LLM03-aligned architecture for multimodal dataset security

Implementing LLM03:2025-compliant dataset validation for a multimodal AI application requires five steps that map onto the OWASP LLM03 control objectives: data source integrity, ingestion-time validation, provenance records, quarantine workflow, and continuous corpus review.

1. Inventory every data source feeding fine-tuning sets and RAG corpora, and identify which sources contain or may contain image or audio content. OWASP LLM03 begins with data source visibility: you cannot validate what you have not enumerated. For each data source — internal document stores, third-party data feeds, web crawlers, user-submitted uploads, exported CRM or ticketing records — determine whether the documents that source produces contain image layers (PDFs with figures, PPTX files, DOCX with embedded images) or audio content (transcribed call recordings paired with audio files). Mark each source as text-only, image-bearing, or audio-bearing. Sources marked image-bearing or audio-bearing have a multimodal LLM03 attack surface that requires pre-ingestion scanning; text-only sources are adequately covered by your existing text validator. A crawled web source should be treated as image-bearing by default: modern web pages routinely contain images that a scraper captures alongside text. Per-product data source inventories are available for RAG pipelines, MCP servers, and chatbots with image upload.
2. Place the pre-ingestion multimodal scan between document receipt and corpus entry — before any chunk enters the vector store or training dataset. The scan must be positioned before ingestion, not after. A document that enters the vector store and is later found to contain a malicious image layer has already been indexed; every retrieval that surfaces that document from ingestion to detection has exposed the model to the payload. The correct control placement is at the ingestion gate: extract all embedded images from the document (using a PDF image extractor such as PyMuPDF or pdfplumber, or the equivalent for PPTX and DOCX), post each extracted image to the Glyphward scan endpoint, receive the risk score, and decide — allow ingestion, flag for human review, or quarantine — before the document enters the corpus. For fine-tuning datasets, the scan gate sits before the training run: scan each image in the dataset batch before submitting the batch to the fine-tuning pipeline. Documents or training examples that clear the scan enter the corpus or dataset with a linked scan_id; those that do not are routed to the quarantine workflow in step 4. For LangChain, LlamaIndex, and CrewAI implementations, this is a middleware step in the document loading pipeline.
3. Write per-document scan records as the LLM03 dataset-provenance evidence. LLM03 controls require that organisations can demonstrate the integrity of their training and retrieval data. The pre-ingestion scan record is the concrete implementation of that requirement for multimodal content. For each document ingested into the RAG corpus, store: document_id (or chunk_id), source_uri, ingestion_timestamp, and — for each image extracted from the document — the Glyphward scan_id, the image_hash (for deduplication and audit), the risk_score, and the ingestion_action (allowed, flagged, quarantined). For fine-tuning datasets, store the same fields at the training-example level with a dataset_version tag. These records constitute the dataset provenance trail that an LLM03 control review or a SOC 2 / ISO 27001 audit can inspect to confirm that multimodal content was validated before influencing model behavior. The scan_id links the application-side provenance record to the immutable server-side scan record at Glyphward, providing a corroborating reference that cannot be retroactively modified. The same per-request evidence structure that the SOC 2 CC6.6 evidence pattern and the ISO 27001 A.8.28 evidence pattern describe at inference time applies here at ingestion time.
4. Implement a quarantine and review workflow for documents that exceed the risk threshold. A pre-ingestion scan that flags a document as high-risk requires a disposition decision: the document either does not enter the corpus, enters a quarantine store pending human review, or is forwarded to a sanitisation step (image removal or redaction) before re-ingestion. For automated pipelines ingesting high volumes of documents — web crawlers, bulk CRM exports — the quarantine workflow must be designed for throughput: a high-risk document triggers a webhook or queue entry that routes to an alert channel (Slack, PagerDuty, SIEM) while the document is held in a staging store. Human reviewers examine quarantined documents against the flagged image regions and risk reasons provided in the scan response; they approve clean documents for ingestion and discard confirmed poisoned documents. For fine-tuning datasets, quarantined training examples are excluded from the training batch and logged with the dataset_version; if the quarantine rate for a source exceeds a threshold (for example, more than 0.1% of a dataset batch), the entire source is suspended for investigation. The quarantine scan_id is the evidence record that demonstrates the LLM03 control functioned for flagged items — it shows the system identified and held the document rather than ingesting it unchecked.
5. Run periodic re-scans of the existing corpus as the adversarial payload corpus is updated. LLM03:2025's dataset security requirement is ongoing, not one-time. A document that passed the scan at ingestion time — because the attack vector it contained was not yet in the payload corpus — may fail a re-scan after the corpus is updated with the new attack family. Glyphward continuously expands the curated payload corpus as new multimodal PI attack variants are published and observed. A quarterly or monthly re-scan of the retrieval corpus — scanning each embedded image against the current payload corpus and quarantining documents whose risk scores have risen above threshold — ensures that historical ingestion decisions remain valid under the current threat model. The re-scan record updates the provenance trail: each re-scanned image receives a new scan_id, timestamp, and score; the document's provenance entry is updated to reflect the most recent scan verdict. For compliance programmes that align with the NIST AI RMF Measure and Manage functions or the MITRE ATLAS threat-intelligence update cycle, the periodic re-scan is the implementation of continuous monitoring for the dataset attack surface.

How Glyphward fits

Glyphward is designed primarily as an inference-time scanner — bytes in, 0–100 risk score and flagged regions out, <200 ms p95 — but the API contract is equally suited to the pre-ingestion use case that LLM03:2025 requires. A POST to the image scan endpoint with an extracted image from a PDF returns the same scan_id, risk_score, flagged_region, and modality_reason that an inference-time call returns. The scan runs the same detection pipeline: CLIP embedding plus a typographic-PI detection head plus Tesseract OCR cross-referenced against a curated adversarial payload corpus. A pre-ingestion call to this endpoint before a document enters the retrieval corpus produces a provenance record that is structurally identical to an inference-time scan record — the same evidence format that satisfies SOC 2 CC6.6 at inference time satisfies the LLM03 dataset-integrity requirement at ingestion time.

For fine-tuning dataset validation, the same endpoint accepts images from training pairs before the training batch is submitted. The scan_id persists on the Glyphward server as an immutable record linked to the submitted image hash; when auditors or MLSec reviewers ask for evidence that image X in dataset version Y was validated before training, the scan_id and server-side record provide that evidence. The free tier supports 10 scans per day — enough for development and corpus-sampling experiments; the Pro tier at $29/mo provides 100k scans per month suitable for continuous ingestion pipelines. Full pricing is at the pricing page.

Glyphward does not replace the text-side PI scanner already in your ingestion pipeline. The run-both pattern applies at ingestion just as it does at inference time: the text scanner covers the text content of ingested documents; Glyphward covers the image and audio layers. Together they close the LLM03 multimodal gap without replacing existing text-side controls.

Get early access · See the API surface · RAG pipeline integration

Related questions

Further reading

• OWASP LLM01:2025 prompt injection — multimodal sub-category — the inference-time companion to LLM03; covers direct image and audio PI delivery through user input in the active conversation, the three multimodal delivery channels, and the coverage matrix for inference-time controls.
• OWASP LLM02:2025 Insecure Output Handling — multimodal origin chain — the downstream execution risk when an LLM01 or LLM03 multimodal payload succeeds and produces output that flows to a code interpreter, renderer, or API; the LLM01 + LLM02 + LLM03 trio covers the full input-to-output attack chain.
• Prompt-injection scanner for RAG pipelines — the inference-time complement to LLM03 pre-ingestion scanning; covers indirect PI through retrieved documents at query time, the pre-ingestion and retrieval-time scan placement options, and loader-middleware architecture.
• FigStep detection · AgentTypo detector — the specific attack families most relevant to the corpus poisoning vector; both are designed to defeat OCR-before-text-scan pipelines and require pixel-level inspection to detect.
• Why every text-only prompt-injection scanner misses a 30-pixel PNG — the architectural argument for why OCR-before-text-scan has a structural ceiling below the FigStep / AgentTypo attack class; the core reasoning behind the pre-ingestion multimodal scan requirement.
• SOC 2 AI security controls — multimodal prompt injection evidence — the SOC 2 CC6.6 dataset-integrity evidence pattern; the per-document scan_id provenance record structure described above satisfies CC6.6 for dataset ingestion just as it satisfies it for inference-time validation.
• ISO 27001:2022 AI security controls — multimodal prompt injection evidence — the ISO 27001 A.8.28 Secure Coding requirement that external data sources are treated as untrusted until validated; retrieval corpus documents from external sources are external data under A.8.28, and pre-ingestion scanning is the validation mechanism.
• NIST AI RMF GenAI Profile (NIST AI 600-1) — the Measure and Manage functions cover dataset integrity monitoring; the periodic re-scan architecture in step 5 above implements continuous Measure-function monitoring for the multimodal dataset attack surface.
• MITRE ATLAS — multimodal prompt injection (AML.T0051) and LLM jailbreak (AML.T0054) — AML.T0051.001 (Indirect Prompt Injection) explicitly includes "multimedia pulled from databases or websites" in scope; the corpus-poisoning RAG vector is the precise attack pattern AML.T0051.001 describes.
• CISA deploying AI systems securely — prompt injection and the multimodal gap — CISA's guidance that "validate and sanitise all inputs before they reach the model" applies to retrieval corpus documents as "inputs" that the model will consume; the pre-ingestion scan is the CISA-aligned implementation for external data sources entering a RAG pipeline.
• LangChain integration · CrewAI integration · AutoGen integration — per-framework integration patterns for adding the pre-ingestion image scan to common RAG and multi-agent pipeline implementations.
• vs Lakera Guard · vs Azure Prompt Shields · vs LLM Guard — coverage comparison for the RAG corpus ingestion use case: which tools produce per-image provenance records for embedded image content and which cover only the text layer.