{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T11:08:50Z","timestamp":1778152130851,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":56,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,12,2]],"date-time":"2024-12-02T00:00:00Z","timestamp":1733097600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,12,2]]},"DOI":"10.1145\/3658644.3690338","type":"proceedings-article","created":{"date-parts":[[2024,12,9]],"date-time":"2024-12-09T12:19:20Z","timestamp":1733746760000},"page":"1716-1730","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":17,"title":["Demystifying RCE Vulnerabilities in LLM-Integrated Apps"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0004-5804-6551","authenticated-orcid":false,"given":"Tong","family":"Liu","sequence":"first","affiliation":[{"name":"IIE, CAS &amp; School of Cyber Security, UCAS, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7240-9268","authenticated-orcid":false,"given":"Zizhuang","family":"Deng","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Technology, Shandong University, Qingdao, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6388-2571","authenticated-orcid":false,"given":"Guozhu","family":"Meng","sequence":"additional","affiliation":[{"name":"IIE, CAS &amp; School of Cyber Security, UCAS, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4382-0757","authenticated-orcid":false,"given":"Yuekang","family":"Li","sequence":"additional","affiliation":[{"name":"University of New South Wales, Sydney, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5624-2987","authenticated-orcid":false,"given":"Kai","family":"Chen","sequence":"additional","affiliation":[{"name":"IIE, CAS &amp; School of Cyber Security, UCAS, Beijing, China"}]}],"member":"320","published-online":{"date-parts":[[2024,12,9]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2023. CVE-2023--37273. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023--37273."},{"key":"e_1_3_2_1_2_1","unstructured":"2024. LLMSmith. https:\/\/sites.google.com\/view\/llmsmith\/."},{"key":"e_1_3_2_1_3_1","unstructured":"axflow. 2023. Axflow. https:\/\/github.com\/axflow\/axflow."},{"key":"e_1_3_2_1_4_1","unstructured":"Thousand Birds. 2023. Chidori. https:\/\/github.com\/ThousandBirdsInc\/chidori."},{"key":"e_1_3_2_1_5_1","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Carlini Nicholas","year":"2021","unstructured":"Nicholas Carlini, Florian Tramer, Eric Wallace, Matthew Jagielski, Ariel Herbert-Voss, Katherine Lee, Adam Roberts, Tom Brown, Dawn Song, Ulfar Erlingsson, et al. 2021. Extracting training data from large language models. In 30th USENIX Security Symposium (USENIX Security 21). 2633--2650."},{"key":"e_1_3_2_1_6_1","unstructured":"Yupeng Chang Xu Wang Jindong Wang Yuan Wu Kaijie Zhu Hao Chen Linyi Yang Xiaoyuan Yi Cunxiang Wang Yidong Wang et al. 2023. A survey on evaluation of large language models. arXiv preprint arXiv:2307.03109 (2023)."},{"key":"e_1_3_2_1_7_1","volume-title":"Jared Kaplan, Harri Edwards, Yuri Burda, Nicholas Joseph, Greg Brockman, et al.","author":"Chen Mark","year":"2021","unstructured":"Mark Chen, Jerry Tworek, Heewoo Jun, Qiming Yuan, Henrique Ponde de Oliveira Pinto, Jared Kaplan, Harri Edwards, Yuri Burda, Nicholas Joseph, Greg Brockman, et al. 2021. Evaluating large language models trained on code. arXiv preprint arXiv:2107.03374 (2021)."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICMLA.2017.0-119"},{"key":"e_1_3_2_1_9_1","volume-title":"Is GPT-4 a Good Data Analyst? arXiv preprint arXiv:2305.15038","author":"Cheng Liying","year":"2023","unstructured":"Liying Cheng, Xingxuan Li, and Lidong Bing. 2023. Is GPT-4 a Good Data Analyst? arXiv preprint arXiv:2305.15038 (2023)."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/2987550.2987571"},{"key":"e_1_3_2_1_11_1","unstructured":"The MITRE Corporation. 2021. CVE-2021--44228. https:\/\/cve.mitre.org\/cgibin\/ cvename.cgi?name=cve-2021--44228."},{"key":"e_1_3_2_1_12_1","unstructured":"Dashy Dash. 2023. pandas-llm. https:\/\/github.com\/DashyDashOrg\/pandas-llm."},{"key":"e_1_3_2_1_13_1","volume-title":"Jailbreaker: Automated jailbreak across multiple large language model chatbots. arXiv preprint arXiv:2307.08715","author":"Deng Gelei","year":"2023","unstructured":"Gelei Deng, Yi Liu, Yuekang Li, Kailong Wang, Ying Zhang, Zefeng Li, Haoyu Wang, Tianwei Zhang, and Yang Liu. 2023. Jailbreaker: Automated jailbreak across multiple large language model chatbots. arXiv preprint arXiv:2307.08715 (2023)."},{"key":"e_1_3_2_1_14_1","unstructured":"e2b dev. 2023. e2b. https:\/\/github.com\/e2b-dev\/E2B."},{"key":"e_1_3_2_1_15_1","volume-title":"LLM Censorship: A Machine Learning Challenge or a Computer Security Problem? arXiv preprint arXiv:2307.10719","author":"Glukhov David","year":"2023","unstructured":"David Glukhov, Ilia Shumailov, Yarin Gal, Nicolas Papernot, and Vardan Papyan. 2023. LLM Censorship: A Machine Learning Challenge or a Computer Security Problem? arXiv preprint arXiv:2307.10719 (2023)."},{"key":"e_1_3_2_1_16_1","unstructured":"Significant Gravitas. 2023. Auto-GPT. https:\/\/github.com\/Significant-Gravitas \/Auto-GPT."},{"key":"e_1_3_2_1_17_1","volume-title":"Not what you?ve signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection. arXiv preprint arXiv:2302.12173","author":"Greshake Kai","year":"2023","unstructured":"Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. 2023. Not what you?ve signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection. arXiv preprint arXiv:2302.12173 (2023)."},{"key":"e_1_3_2_1_18_1","unstructured":"griptape ai. 2023. griptape. https:\/\/github.com\/griptape-ai\/griptape."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","unstructured":"Maarten Grootendorst. 2020. KeyBERT: Minimal keyword extraction with BERT. https:\/\/doi.org\/10.5281\/zenodo.4461265","DOI":"10.5281\/zenodo.4461265"},{"key":"e_1_3_2_1_20_1","volume-title":"Proceedings of the IEEE international symposium on secure software engineering","volume":"1","author":"Halfond William G","year":"2006","unstructured":"William G Halfond, Jeremy Viegas, Alessandro Orso, et al. 2006. A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE international symposium on secure software engineering, Vol. 1. IEEE, 13--15."},{"key":"e_1_3_2_1_21_1","volume-title":"Proceedings of the 30th USENIX Security Symposium (USENIX)","author":"He Yingzhe","year":"2021","unstructured":"Yingzhe He, Guozhu Meng, Kai Chen, Jinwen He, and Xingbo Hu. 2021. DRMI: A Dataset Reduction Technology based on Mutual Information for Black-box Attacks. In Proceedings of the 30th USENIX Security Symposium (USENIX) (Vancouver, B.C., Canada)."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","unstructured":"Yingzhe He Guozhu Meng Kai Chen Xingbo Hu and Jinwen He. 2020. Towards Security Threats of Deep Learning Systems: A Survey. (2020) 1--28. https: \/\/doi.org\/10.1109\/TSE.2020.3034721","DOI":"10.1109\/TSE.2020.3034721"},{"key":"e_1_3_2_1_23_1","volume-title":"Zijuan Lin, Liyang Zhou, Chenyu Ran, Lingfeng Xiao, Chenglin Wu, and J\u00fcrgen Schmidhuber.","author":"Hong Sirui","year":"2023","unstructured":"Sirui Hong, Mingchen Zhuge, Jonathan Chen, Xiawu Zheng, Yuheng Cheng, Ceyao Zhang, Jinlin Wang, Zili Wang, Steven Ka Shing Yau, Zijuan Lin, Liyang Zhou, Chenyu Ran, Lingfeng Xiao, Chenglin Wu, and J\u00fcrgen Schmidhuber. 2023. MetaGPT: Meta Programming for A Multi-Agent Collaborative Framework. arXiv:2308.00352 [cs.AI]"},{"key":"e_1_3_2_1_24_1","unstructured":"IBM. 2023. What is phishing? https:\/\/www.ibm.com\/topics\/phishing."},{"key":"e_1_3_2_1_25_1","unstructured":"InternLM. 2023. lagent. https:\/\/github.com\/InternLM\/lagent."},{"key":"e_1_3_2_1_26_1","volume-title":"Exploiting programmatic behavior of llms: Dual-use through standard security attacks. arXiv preprint arXiv:2302.05733","author":"Kang Daniel","year":"2023","unstructured":"Daniel Kang, Xuechen Li, Ion Stoica, Carlos Guestrin, Matei Zaharia, and Tatsunori Hashimoto. 2023. Exploiting programmatic behavior of llms: Dual-use through standard security attacks. arXiv preprint arXiv:2302.05733 (2023)."},{"key":"e_1_3_2_1_27_1","unstructured":"Gus Khawaja. 2021. Linux Privilege Escalation. 257--272."},{"key":"e_1_3_2_1_28_1","unstructured":"langchain ai. 2023. langchain. https:\/\/github.com\/langchain-ai\/langchain."},{"key":"e_1_3_2_1_29_1","unstructured":"langroid. 2023. langroid. https:\/\/github.com\/langroid\/langroid\/."},{"key":"e_1_3_2_1_30_1","volume-title":"Multi-step jailbreaking privacy attacks on chatgpt. arXiv preprint arXiv:2304.05197","author":"Li Haoran","year":"2023","unstructured":"Haoran Li, Dadi Guo, Wei Fan, Mingshi Xu, and Yangqiu Song. 2023. Multi-step jailbreaking privacy attacks on chatgpt. arXiv preprint arXiv:2304.05197 (2023)."},{"key":"e_1_3_2_1_31_1","unstructured":"Jan Lipovsk\u00fd. 2022. URLExtract. https:\/\/github.com\/lipoja\/URLExtract."},{"key":"e_1_3_2_1_32_1","volume-title":"YuyaoWang, and Lingming Zhang.","author":"Liu Jiawei","year":"2023","unstructured":"Jiawei Liu, Chunqiu Steven Xia, YuyaoWang, and Lingming Zhang. 2023. Is your code generated by chatgpt really correct? rigorous evaluation of large language models for code generation. arXiv preprint arXiv:2305.01210 (2023)."},{"key":"e_1_3_2_1_33_1","volume-title":"Prompt Injection attack against LLM-integrated Applications. arXiv preprint arXiv:2306.05499","author":"Liu Yi","year":"2023","unstructured":"Yi Liu, Gelei Deng, Yuekang Li, Kailong Wang, Tianwei Zhang, Yepang Liu, Haoyu Wang, Yan Zheng, and Yang Liu. 2023. Prompt Injection attack against LLM-integrated Applications. arXiv preprint arXiv:2306.05499 (2023)."},{"key":"e_1_3_2_1_34_1","unstructured":"LlamaIndex. 2023. llama_index. https:\/\/github.com\/jerryjliu\/llama_index."},{"key":"e_1_3_2_1_35_1","unstructured":"Logspace. 2023. langflow. https:\/\/github.com\/logspace-ai\/langflow."},{"key":"e_1_3_2_1_36_1","volume-title":"The clever trick that turns ChatGPT into its evil twin. The Washington Post","author":"Oremus Will","year":"2023","unstructured":"Will Oremus. 2023. The clever trick that turns ChatGPT into its evil twin. The Washington Post (2023)."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833571"},{"key":"e_1_3_2_1_38_1","volume-title":"From Prompt Injections to SQL Injection Attacks: How Protected is Your LLMIntegrated Web Application? arXiv preprint arXiv:2308.01990","author":"Pedro Rodrigo","year":"2023","unstructured":"Rodrigo Pedro, Daniel Castro, Paulo Carreira, and Nuno Santos. 2023. From Prompt Injections to SQL Injection Attacks: How Protected is Your LLMIntegrated Web Application? arXiv preprint arXiv:2308.01990 (2023)."},{"key":"e_1_3_2_1_39_1","volume-title":"Ignore previous prompt: Attack techniques for language models. arXiv preprint arXiv:2211.09527","author":"Perez F\u00e1bio","year":"2022","unstructured":"F\u00e1bio Perez and Ian Ribeiro. 2022. Ignore previous prompt: Attack techniques for language models. arXiv preprint arXiv:2211.09527 (2022)."},{"key":"e_1_3_2_1_40_1","unstructured":"pyodide. 2018. Pyodide. https:\/\/github.com\/pyodide\/pyodide."},{"key":"e_1_3_2_1_41_1","volume-title":"Reddit Discussion: Calculating the Hash of a Word ''on the fly''. https:\/\/www.reddit.com\/r\/ChatGPT\/comments\/109jc9p\/calculating_the_hash_ of_a_word_on_the_fly\/.","year":"2023","unstructured":"Reddit. 2023. Reddit Discussion: Calculating the Hash of a Word ''on the fly''. https:\/\/www.reddit.com\/r\/ChatGPT\/comments\/109jc9p\/calculating_the_hash_ of_a_word_on_the_fly\/."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00146"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/PROC.1975.9939"},{"key":"e_1_3_2_1_44_1","unstructured":"SeleniumHQ. 2022. selenium. https:\/\/github.com\/SeleniumHQ\/selenium."},{"key":"e_1_3_2_1_45_1","volume-title":"Do Anything Now'': Characterizing and Evaluating In-The-Wild Jailbreak Prompts on Large Language Models. arXiv preprint arXiv:2308.03825","author":"Shen Xinyue","year":"2023","unstructured":"Xinyue Shen, Zeyuan Chen, Michael Backes, Yun Shen, and Yang Zhang. 2023. ''Do Anything Now'': Characterizing and Evaluating In-The-Wild Jailbreak Prompts on Large Language Models. arXiv preprint arXiv:2308.03825 (2023)."},{"key":"e_1_3_2_1_46_1","unstructured":"vanna ai. 2023. vanna. https:\/\/github.com\/vanna-ai\/vanna."},{"key":"e_1_3_2_1_47_1","unstructured":"Gabriele Venturi. 2023. pandas-ai. https:\/\/github.com\/gventuri\/pandas-ai."},{"key":"e_1_3_2_1_48_1","volume-title":"Nghi DQ Bui, Junnan Li, and Steven CH Hoi.","author":"Wang Yue","year":"2023","unstructured":"Yue Wang, Hung Le, Akhilesh Deepak Gotmare, Nghi DQ Bui, Junnan Li, and Steven CH Hoi. 2023. Codet5: Open code large language models for code understanding and generation. arXiv preprint arXiv:2305.07922 (2023)."},{"key":"e_1_3_2_1_49_1","volume-title":"Jailbroken: How does llm safety training fail? arXiv preprint arXiv:2307.02483","author":"Wei Alexander","year":"2023","unstructured":"Alexander Wei, Nika Haghtalab, and Jacob Steinhardt. 2023. Jailbroken: How does llm safety training fail? arXiv preprint arXiv:2307.02483 (2023)."},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.5555\/3620237.3620389"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00129"},{"key":"e_1_3_2_1_52_1","volume-title":"11th USENIXWorkshop on Hot Topics in Cloud Computing (HotCloud 19).","author":"Young Ethan G","unstructured":"Ethan G Young, Pengfei Zhu, Tyler Caraza-Harter, Andrea C Arpaci-Dusseau, and Remzi H Arpaci-Dusseau. 2019. The true cost of containing: A {gVisor} case study. In 11th USENIXWorkshop on Hot Topics in Cloud Computing (HotCloud 19)."},{"key":"e_1_3_2_1_53_1","volume-title":"GPTFUZZER: Red Teaming Large Language Models with Auto-Generated Jailbreak Prompts. arXiv preprint arXiv:2309.10253","author":"Yu Jiahao","year":"2023","unstructured":"Jiahao Yu, Xingwei Lin, and Xinyu Xing. 2023. GPTFUZZER: Red Teaming Large Language Models with Auto-Generated Jailbreak Prompts. arXiv preprint arXiv:2309.10253 (2023)."},{"key":"e_1_3_2_1_54_1","volume-title":"AutoDefense: Multi-Agent LLM Defense against Jailbreak Attacks. arXiv preprint arXiv:2403.04783","author":"Zeng Yifan","year":"2024","unstructured":"Yifan Zeng, Yiran Wu, Xiao Zhang, Huazheng Wang, and Qingyun Wu. 2024. AutoDefense: Multi-Agent LLM Defense against Jailbreak Attacks. arXiv preprint arXiv:2403.04783 (2024)."},{"key":"e_1_3_2_1_55_1","volume-title":"Junbo Zhao, and Jie Fu.","author":"Zhao Shuai","year":"2023","unstructured":"Shuai Zhao, JinmingWen, Luu Anh Tuan, Junbo Zhao, and Jie Fu. 2023. Prompt as Triggers for Backdoor Attack: Examining the Vulnerability in Language Models. arXiv preprint arXiv:2305.01219 (2023)."},{"key":"e_1_3_2_1_56_1","volume-title":"Universal and transferable adversarial attacks on aligned language models. arXiv preprint arXiv:2307.15043","author":"Zou Andy","year":"2023","unstructured":"Andy Zou, Zifan Wang, J Zico Kolter, and Matt Fredrikson. 2023. Universal and transferable adversarial attacks on aligned language models. arXiv preprint arXiv:2307.15043 (2023)."}],"event":{"name":"CCS '24: ACM SIGSAC Conference on Computer and Communications Security","location":"Salt Lake City UT USA","acronym":"CCS '24","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3690338","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3658644.3690338","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T06:11:31Z","timestamp":1755843091000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3690338"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12,2]]},"references-count":56,"alternative-id":["10.1145\/3658644.3690338","10.1145\/3658644"],"URL":"https:\/\/doi.org\/10.1145\/3658644.3690338","relation":{},"subject":[],"published":{"date-parts":[[2024,12,2]]},"assertion":[{"value":"2024-12-09","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}