CompressionAttack: Exploiting Prompt Compression as a New Attack Surface in LLM-Powered Agents

• URL: http://arxiv.org/abs/2510.22963v2
• Date: Fri, 07 Nov 2025 09:01:26 GMT
• Title: CompressionAttack: Exploiting Prompt Compression as a New Attack Surface in LLM-Powered Agents
• Authors: Zesen Liu, Zhixiang Zhang, Yuchong Xie, Dongdong She,
• Abstract summary: This work identifies prompt compression as a novel attack surface and presents CompressionAttack, the first framework to exploit it.<n>Experiments on multiple LLMs show up to 80% attack success and 98% preference flips, while remaining highly stealthy and transferable.<n>Case studies in VSCode Cline and Ollama confirm real-world impact, and current defenses prove ineffective.
• Score: 7.68677090046928
• License: http://creativecommons.org/licenses/by-nc-sa/4.0/
• Abstract: LLM-powered agents often use prompt compression to reduce inference costs, but this introduces a new security risk. Compression modules, which are optimized for efficiency rather than safety, can be manipulated by adversarial inputs, causing semantic drift and altering LLM behavior. This work identifies prompt compression as a novel attack surface and presents CompressionAttack, the first framework to exploit it. CompressionAttack includes two strategies: HardCom, which uses discrete adversarial edits for hard compression, and SoftCom, which performs latent-space perturbations for soft compression. Experiments on multiple LLMs show up to 80% attack success and 98% preference flips, while remaining highly stealthy and transferable. Case studies in VSCode Cline and Ollama confirm real-world impact, and current defenses prove ineffective, highlighting the need for stronger protections.

Related papers

• Arbitrary Ratio Feature Compression via Next Token Prediction [52.10426317889982]
  Arbitrary Ratio Feature Compression (ARFC) framework supports any compression ratio with a single model.<n>ARC is an auto-regressive model that performs compression via next-gressive prediction.<n>MoS module refines the compressed tokens by utilizing multiple compression results.<n>ERGC is integrated into the training process to preserve semantic and structural relationships during compression.
  arXiv  Detail & Related papers  (2026-02-12T02:38:57Z)
• Less Is More -- Until It Breaks: Security Pitfalls of Vision Token Compression in Large Vision-Language Models [69.84867664371826]
  We show that visual token compression substantially degrades the robustness of Large Vision-Language Models (LVLMs)<n>Small and imperceptible perturbations can significantly alter token importance ranking, leading the compression mechanism to mistakenly discard task-critical information.<n>We propose a Compression-Aware Attack to systematically study and exploit this vulnerability.
  arXiv  Detail & Related papers  (2026-01-17T13:02:41Z)
• Cmprsr: Abstractive Token-Level Question-Agnostic Prompt Compressor [36.57824786347272]
  We present the first comprehensive LLM-as-a-compressor benchmark spanning 25 open- and closed-source models.<n>We improve the performance of the best overall vanilla compressor, with Textgrad-based compression meta-prompt optimization.<n>We call the resulting model Cmprsr and demonstrate its superiority over both extractive and vanilla abstractive compression.
  arXiv  Detail & Related papers  (2025-11-15T16:28:03Z)
• Compressing Many-Shots in In-Context Learning [61.231471139896506]
  We study an approach to improve the memory and computational efficiency of ICL inference by compressing the many-shot prompts.<n>We first show that existing prompt compression methods are ineffective for many-shot compression.<n>We propose MemCom, a layer-wise compression method.
  arXiv  Detail & Related papers  (2025-10-17T16:57:42Z)
• Autoencoding-Free Context Compression for LLMs via Contextual Semantic Anchors [43.02557489472655]
  Current context compression methods rely on autoencoding tasks to train context-agnostic compression tokens to compress contextual semantics.<n>We propose Semantic-Anchor Compression (SAC), a novel method that shifts from autoencoding task based compression to an architecture that is equipped with this compression capability.<n>SAC consistently outperforms existing context compression methods across various compression ratios.
  arXiv  Detail & Related papers  (2025-10-10T01:42:14Z)
• The Pitfalls of KV Cache Compression [52.196873305708955]
  We show that certain instructions degrade much more rapidly with compression.<n>We show several factors that play a role in prompt leakage: compression method, instruction order, and KV eviction bias.
  arXiv  Detail & Related papers  (2025-09-30T19:55:26Z)
• Joint Lossless Compression and Steganography for Medical Images via Large Language Models [63.454510290574355]
  We propose a novel joint lossless compression and steganography framework for medical images.<n>Inspired by bit plane slicing (BPS), we find it feasible to embed privacy messages into medical images in an invisible manner.
  arXiv  Detail & Related papers  (2025-08-03T14:45:51Z)
• Understanding and Improving Information Preservation in Prompt Compression for LLMs [15.797246416590339]
  In information-intensive tasks, the prompt length can grow fast, leading to increased computational requirements, performance degradation, and induced biases from irrelevant or redundant information.<n>We propose a holistic evaluation framework that allows for in-depth analysis of prompt compression methods.
  arXiv  Detail & Related papers  (2025-03-24T20:06:11Z)
• Robust and Transferable Backdoor Attacks Against Deep Image Compression With Selective Frequency Prior [118.92747171905727]
  This paper introduces a novel frequency-based trigger injection model for launching backdoor attacks with multiple triggers on learned image compression models.<n>We design attack objectives tailored to diverse scenarios, including: 1) degrading compression quality in terms of bit-rate and reconstruction accuracy; 2) targeting task-driven measures like face recognition and semantic segmentation.<n>Experiments show that our trigger injection models, combined with minor modifications to encoder parameters, successfully inject multiple backdoors and their triggers into a single compression model.
  arXiv  Detail & Related papers  (2024-12-02T15:58:40Z)
• Position IDs Matter: An Enhanced Position Layout for Efficient Context Compression in Large Language Models [34.92897341188079]
  Using special tokens to compress context information is a common practice for large language models (LLMs)<n>We propose textbfEnhanced Position Layout (EPL), a method that improves the context compression capability of LLMs by only adjusting position IDs.
  arXiv  Detail & Related papers  (2024-09-22T08:51:18Z)
• Beyond Perplexity: Multi-dimensional Safety Evaluation of LLM Compression [33.45167213570976]
  We investigate the impact of model compression on four dimensions: (1) degeneration harm, i.e., bias and toxicity in generation; (2) representational harm, i.e., biases in discriminative tasks; (3) dialect bias; and(4) language modeling and downstream task performance. Our analysis reveals that compression can lead to unexpected consequences.
  arXiv  Detail & Related papers  (2024-07-06T05:56:22Z)
• Long Context Compression with Activation Beacon [22.054232261437186]
  Activation Beacon is a plug-in module for transformer-based LLMs. It targets effective, efficient, and flexible compression of long contexts. It achieves a 2x acceleration in inference time and an 8x reduction of memory costs for KV cache.
  arXiv  Detail & Related papers  (2024-01-07T11:57:40Z)
• Compressing LLMs: The Truth is Rarely Pure and Never Simple [90.05366363633568]
  Knowledge-Intensive Compressed LLM BenchmarK aims to redefine the evaluation protocol for compressed Large Language Models. LLM-KICK unveils many favorable merits and unfortunate plights of current SoTA compression methods. LLM-KICK is designed to holistically access compressed LLMs' ability for language understanding, reasoning, generation, in-context retrieval, in-context summarization, etc.
  arXiv  Detail & Related papers  (2023-10-02T17:42:37Z)
• Do Compressed LLMs Forget Knowledge? An Experimental Study with Practical Implications [63.29358103217275]
  Large Language Models (LLMs) often leads to reduced performance, especially for knowledge-intensive tasks. We propose two conjectures on the nature of the damage: one is certain knowledge being forgotten (or erased) after compression. We introduce a variant called Inference-time Dynamic Prompting (IDP) that can effectively increase prompt diversity without incurring any inference overhead.
  arXiv  Detail & Related papers  (2023-10-02T03:12:06Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.