{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,24]],"date-time":"2026-04-24T15:11:23Z","timestamp":1777043483252,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":28,"publisher":"ACM","funder":[{"DOI":"10.13039\/501100021856","name":"Ministero dell'Universit\u00e0 e della Ricerca","doi-asserted-by":"publisher","award":["PE_00000014, B53C22003990006"],"award-info":[{"award-number":["PE_00000014, B53C22003990006"]}],"id":[{"id":"10.13039\/501100021856","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,10,13]]},"DOI":"10.1145\/3733799.3762976","type":"proceedings-article","created":{"date-parts":[[2025,12,30]],"date-time":"2025-12-30T11:38:49Z","timestamp":1767094729000},"page":"170-181","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["The Hidden Threat in Plain Text: Attacking RAG Data Loaders"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0008-1809-2253","authenticated-orcid":false,"given":"Alberto","family":"Castagnaro","sequence":"first","affiliation":[{"name":"University of Padua, Padova, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-1475-9677","authenticated-orcid":false,"given":"Umberto","family":"Salviati","sequence":"additional","affiliation":[{"name":"University of Padua, Padova, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3612-1934","authenticated-orcid":false,"given":"Mauro","family":"Conti","sequence":"additional","affiliation":[{"name":"University of Padua, Padova, Italy and \u00d6rebro University, \u00d6rebro, Sweden"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6749-6608","authenticated-orcid":false,"given":"Luca","family":"Pajola","sequence":"additional","affiliation":[{"name":"Spritz Matter, Padova, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-6719-0813","authenticated-orcid":false,"given":"Simeone","family":"Pizzi","sequence":"additional","affiliation":[{"name":"Spritz Matter, Padova, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,12,30]]},"reference":[{"key":"e_1_3_3_2_2_2","unstructured":"Christoph Auer Maksym Lysak Ahmed Nassar Michele Dolfi Nikolaos Livathinos Panos Vagenas Cesar\u00a0Berrospi Ramis Matteo Omenetti Fabian Lindlbauer Kasper Dinkla Lokesh Mishra Yusik Kim Shubham Gupta Rafael\u00a0Teixeira de Lima Valery Weber Lucas Morin Ingmar Meijer Viktor Kuropiatnyk and Peter W.\u00a0J. Staar. 2024. Docling Technical Report. arxiv:https:\/\/arXiv.org\/abs\/2408.09869\u00a0[cs.CL] https:\/\/arxiv.org\/abs\/2408.09869"},{"key":"e_1_3_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1145\/3607199.3607220"},{"key":"e_1_3_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833641"},{"key":"e_1_3_3_2_5_2","unstructured":"Tom Brown Benjamin Mann Nick Ryder Melanie Subbiah Jared\u00a0D Kaplan Prafulla Dhariwal Arvind Neelakantan Pranav Shyam Girish Sastry Amanda Askell et\u00a0al. 2020. Language models are few-shot learners. Advances in neural information processing systems 33 (2020) 1877\u20131901."},{"key":"e_1_3_3_2_6_2","first-page":"2633","volume-title":"30th USENIX security symposium (USENIX Security 21)","author":"Carlini Nicholas","year":"2021","unstructured":"Nicholas Carlini, Florian Tramer, Eric Wallace, Matthew Jagielski, Ariel Herbert-Voss, Katherine Lee, Adam Roberts, Tom Brown, Dawn Song, Ulfar Erlingsson, et\u00a0al. 2021. Extracting training data from large language models. In 30th USENIX security symposium (USENIX Security 21). 2633\u20132650."},{"key":"e_1_3_3_2_7_2","unstructured":"Harsh Chaudhari Giorgio Severi John Abascal Matthew Jagielski Christopher\u00a0A Choquette-Choo Milad Nasr Cristina Nita-Rotaru and Alina Oprea. 2024. Phantom: General trigger attacks on retrieval augmented language generation. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2405.20485 (2024)."},{"key":"e_1_3_3_2_8_2","doi-asserted-by":"crossref","unstructured":"Mauro Conti Luca Pajola and Pier\u00a0Paolo Tricomi. 2023. Turning captchas against humanity: Captcha-based attacks in online social media. Online Social Networks and Media 36 (2023) 100252.","DOI":"10.1016\/j.osnem.2023.100252"},{"key":"e_1_3_3_2_9_2","doi-asserted-by":"crossref","unstructured":"Gelei Deng Yi Liu Kailong Wang Yuekang Li Tianwei Zhang and Yang Liu. 2024. Pandora: Jailbreak gpts by retrieval augmented generation poisoning. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2402.08416 (2024).","DOI":"10.14722\/aiscc.2024.23018"},{"key":"e_1_3_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/3270101.3270103"},{"key":"e_1_3_3_2_11_2","unstructured":"Yupeng Hou Jiacheng Li Zhankui He An Yan Xiusi Chen and Julian McAuley. 2024. Bridging Language and Items for Retrieval and Recommendation. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2403.03952 (2024)."},{"key":"e_1_3_3_2_12_2","unstructured":"Jie Huang and Kevin Chen-Chuan Chang. 2022. Towards reasoning in large language models: A survey. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2212.10403 (2022)."},{"key":"e_1_3_3_2_13_2","unstructured":"Abhinav Kumar Jaechul Roh Ali Naseh Marzena Karpinska Mohit Iyyer Amir Houmansadr and Eugene Bagdasarian. 2025. OverThink: Slowdown Attacks on Reasoning LLMs. arXiv e-prints (2025) arXiv\u20132502."},{"key":"e_1_3_3_2_14_2","doi-asserted-by":"crossref","unstructured":"David\u00a0MJ Lazer Matthew\u00a0A Baum Yochai Benkler Adam\u00a0J Berinsky Kelly\u00a0M Greenhill Filippo Menczer Miriam\u00a0J Metzger Brendan Nyhan Gordon Pennycook David Rothschild et\u00a0al. 2018. The science of fake news. Science 359 6380 (2018) 1094\u20131096.","DOI":"10.1126\/science.aao2998"},{"key":"e_1_3_3_2_15_2","unstructured":"Patrick Lewis Ethan Perez Aleksandra Piktus Fabio Petroni Vladimir Karpukhin Naman Goyal Heinrich K\u00fcttler Mike Lewis Wen-tau Yih Tim Rockt\u00e4schel et\u00a0al. 2020. Retrieval-augmented generation for knowledge-intensive nlp tasks. Advances in Neural Information Processing Systems 33 (2020) 9459\u20139474."},{"key":"e_1_3_3_2_16_2","unstructured":"Nikolaos Livathinos Christoph Auer Maksym Lysak Ahmed Nassar Michele Dolfi Panos Vagenas Cesar\u00a0Berrospi Ramis Matteo Omenetti Kasper Dinkla Yusik Kim Shubham Gupta Rafael\u00a0Teixeira de Lima Valery Weber Lucas Morin Ingmar Meijer Viktor Kuropiatnyk and Peter W.\u00a0J. Staar. 2025. Docling: An Efficient Open-Source Toolkit for AI-driven Document Conversion. arxiv:https:\/\/arXiv.org\/abs\/2501.17887\u00a0[cs.CL] https:\/\/arxiv.org\/abs\/2501.17887"},{"key":"e_1_3_3_2_17_2","first-page":"833","volume-title":"26th USENIX Security Symposium (USENIX Security 17)","author":"Markwood Ian","year":"2017","unstructured":"Ian Markwood, Dakun Shen, Yao Liu, and Zhuo Lu. 2017. Mirage: Content masking attack against { Information-Based} online services. In 26th USENIX Security Symposium (USENIX Security 17). 833\u2013847."},{"key":"e_1_3_3_2_18_2","doi-asserted-by":"crossref","unstructured":"Anay Mehrotra Manolis Zampetakis Paul Kassianik Blaine Nelson Hyrum Anderson Yaron Singer and Amin Karbasi. 2024. Tree of attacks: Jailbreaking black-box llms automatically. Advances in Neural Information Processing Systems 37 (2024) 61065\u201361105.","DOI":"10.52202\/079017-1952"},{"key":"e_1_3_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP51992.2021.00023"},{"key":"e_1_3_3_2_20_2","unstructured":"F\u00e1bio Perez and Ian Ribeiro. 2022. Ignore previous prompt: Attack techniques for language models. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2211.09527 (2022)."},{"key":"e_1_3_3_2_21_2","doi-asserted-by":"crossref","unstructured":"Stephen Roller Emily Dinan Naman Goyal Da Ju Mary Williamson Yinhan Liu Jing Xu Myle Ott Kurt Shuster Eric\u00a0M Smith et\u00a0al. 2021. Recipes for building an open-domain chatbot. Proceedings of the 16th Conference of the European Chapter of the Association for Computational Linguistics: Main Volume (2021).","DOI":"10.18653\/v1\/2021.eacl-main.24"},{"key":"e_1_3_3_2_22_2","unstructured":"Alexander Wei Nika Haghtalab and Jacob Steinhardt. 2023. Jailbroken: How does llm safety training fail? Advances in Neural Information Processing Systems 36 (2023) 80079\u201380110."},{"key":"e_1_3_3_2_23_2","unstructured":"Jason Wei Xuezhi Wang Dale Schuurmans Maarten Bosma Fei Xia Ed Chi Quoc\u00a0V Le Denny Zhou et\u00a0al. 2022. Chain-of-thought prompting elicits reasoning in large language models. Advances in neural information processing systems 35 (2022) 24824\u201324837."},{"key":"e_1_3_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1145\/3531146.3533088"},{"key":"e_1_3_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2018.00027"},{"key":"e_1_3_3_2_26_2","unstructured":"Jiaqi Xue Mengxin Zheng Yebowen Hu Fei Liu Xun Chen and Qian Lou. 2024. Badrag: Identifying vulnerabilities in retrieval augmented generation of large language models. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2406.00083 (2024)."},{"key":"e_1_3_3_2_27_2","doi-asserted-by":"crossref","unstructured":"Yifan Yao Jinhao Duan Kaidi Xu Yuanfang Cai Zhibo Sun and Yue Zhang. 2024. A survey on large language model (llm) security and privacy: The good the bad and the ugly. High-Confidence Computing (2024) 100211.","DOI":"10.1016\/j.hcc.2024.100211"},{"key":"e_1_3_3_2_28_2","unstructured":"Lianmin Zheng Wei-Lin Chiang Ying Sheng Siyuan Zhuang Zhanghao Wu Yonghao Zhuang Zi Lin Zhuohan Li Dacheng Li Eric Xing et\u00a0al. 2023. Judging llm-as-a-judge with mt-bench and chatbot arena. Advances in Neural Information Processing Systems 36 (2023) 46595\u201346623."},{"key":"e_1_3_3_2_29_2","unstructured":"Wei Zou Runpeng Geng Binghui Wang and Jinyuan Jia. 2024. Poisonedrag: Knowledge corruption attacks to retrieval-augmented generation of large language models. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2402.07867 (2024)."}],"event":{"name":"AISec '25: Proceedings of the 2025 Workshop on Artificial Intelligence and Security","location":"Taipei , Taiwan","acronym":"AISec '25","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 18th ACM Workshop on Artificial Intelligence and Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3733799.3762976","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,30]],"date-time":"2025-12-30T11:52:48Z","timestamp":1767095568000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3733799.3762976"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,13]]},"references-count":28,"alternative-id":["10.1145\/3733799.3762976","10.1145\/3733799"],"URL":"https:\/\/doi.org\/10.1145\/3733799.3762976","relation":{},"subject":[],"published":{"date-parts":[[2025,10,13]]},"assertion":[{"value":"2025-12-30","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}