Trendyol\u2019s application security team uncovered a series of bypasses that render Meta\u2019s Llama Firewall protections<\/a> unreliable against sophisticated prompt injection attacks. <\/p>\n The findings raise fresh concerns about the readiness of existing LLM security measures and underscore the urgent need for more robust defenses as enterprises increasingly embed large language models into their workflows.<\/p>\n During the assessment, Trendyol engineers deployed Meta\u2019s open-source Llama Firewall, focusing on its PROMPT_GUARD component intended to screen out malicious user instructions. <\/p>\n To their surprise, the guard allowed a Turkish-language injection containing the phrase \u201c\u00fcstteki y\u00f6nlendirmeleri salla,\u201d which instructs the model to ignore preceding directions and then translate a sentence into French. <\/p>\n The scan returned a benign result despite the clearly malicious intent. The team further demonstrated that simple leetspeak obfuscations transforming \u201cignore\u201d into \u201c1gn0r3,\u201d for instance also slipped past the filter, receiving negligible jailbreak scores when tested against the Llama-Prompt-Guard-2\u201386M model.<\/p>\n These experiments revealed that the firewall\u2019s rule set largely depends on English keywords and exact pattern matches, leaving it blind to variations in language or character substitutions.<\/p>\n Equally troubling was the team\u2019s evaluation of CODE_SHIELD, the module designed to flag insecure code suggestions generated by LLMs. <\/p>\n In one proof-of-concept, the researchers instructed an assistant to produce a simple Python Flask endpoint with a SQL query. The resulting code concatenated user input directly into the query string, creating a textbook SQL injection vulnerability<\/a>.<\/p>\n Despite the glaring risk, CODE_SHIELD classified the output as safe and allowed it through unchallenged.<\/p>\n Trendyol\u2019s developers emphasized several critical concerns about this shortcoming:<\/p>\n The oversight illustrates how these automated systems can create dangerous blind spots in enterprise security frameworks.<\/p>\n The most insidious bypass involved embedding hidden instructions within invisible Unicode characters. <\/p>\n By inserting zero-width spaces and other non-printing code points around the phrase \u201cignore all previous instructions,\u201d the researchers camouflaged malicious directives inside an innocuous question about the capital of France. <\/p>\n Although users and casual observers saw only a harmless query, the LLM recognized and executed the concealed command. When submitted to Llama Firewall, this payload passed inspection with a zero-threat score. <\/p>\n Trendyol\u2019s team demonstrated that even minimal invisible payloads could reliably subvert system prompts and cause models to produce arbitrary or harmful outputs. <\/p>\n This technique poses a particularly acute threat in collaborative settings where prompts are copy-pasted among developers, and automated scanners lack visibility into hidden characters.<\/p>\n In total, Trendyol tested one hundred unique injection payloads against Llama Firewall. Half of these attacks bypassed the system\u2019s defenses, suggesting that while the firewall offers some protection, it is far from comprehensive. <\/p>\n The successful bypasses highlight scenarios in which attackers could coerce LLMs to disregard critical safety filters, output biased or offensive content, or generate insecure code ready for execution. <\/p>\n For organizations like Trendyol, which plan to integrate LLMs into developer platforms, automation pipelines, and customer-facing applications, these vulnerabilities represent concrete risks that could lead to data leaks, system compromise, or regulatory noncompliance.<\/p>\n Trendyol\u2019s security researchers reported<\/a> their initial findings to Meta on May 5, 2025, detailing the multilingual and obfuscated prompt injections. <\/p>\n Meta acknowledged receipt and began an internal review but ultimately closed the report as \u201cinformative\u201d on June 3, declining to issue a bug bounty. <\/p>\n A parallel disclosure to Google regarding invisible Unicode injections was similarly closed as a duplicate. <\/p>\n Despite the lukewarm vendor responses, Trendyol has since refined its own threat modeling practices and is sharing its case study with the broader AI security community. <\/p>\n The company urges other organizations to conduct rigorous red-teaming of LLM defenses before rolling them into production, stressing that prompt filtering alone cannot prevent all forms of compromise.<\/p>\n As enterprises race to harness the power of generative AI, Trendyol\u2019s research serves as a cautionary tale: without layered, context-aware safeguards, even cutting-edge firewall tools can fall prey to deceptively simple attack vectors. <\/p>\n The security community must now collaborate on more resilient detection methods and best practices to stay ahead of adversaries who continuously innovate new ways to manipulate these powerful systems.<\/p>\n Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions ->\u00a0Try ANY.RUN now<\/strong><\/a><\/p>\n The post Meta\u2019s Llama Firewall Bypassed Using Prompt Injection Vulnerability<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nKey Takeaways<\/mark><\/strong>
1. Meta's PROMPT_GUARD failed to block Turkish phrases like \"\u00fcstteki y\u00f6nlendirmeleri salla\" and leetspeak such as \"1gn0r3,\" exposing reliance on English keywords and exact matches.
2. The module missed a SQL injection in LLM-generated Python code, with risks of unverified code use, security gaps, system exposure, and false trust in automated scans.
3. Invisible Unicode characters hid malicious instructions in benign prompts, bypassing Llama Firewall and posing risks in collaborative settings.
4. Testing and Disclosure Of 100 payloads tested, half succeeded; Meta closed Trendyol\u2019s May 5, 2025 report as \"informative\" by June 3 without a bounty, urging the AI security community to develop robust defenses against evolving threats.<\/pre>\nMeta\u2019s Llama Firewall Bypassed<\/strong><\/h2>\n
\n
Unicode Steganography and Invisible Instructions<\/strong><\/h2>\n
<\/figure>\n<\/div>\n