With the development of natural language processing (NLP), large language models (LLMs) are becoming increasingly popular. LLMs are integrating more into everyday life, raising public concerns about their security vulnerabilities. Consequently, the security of large language models is becoming critically important. Currently, the techniques for attacking and defending against LLMs are continuously evolving. One significant method type of attack is the jailbreak attack, which designed to evade model safety mechanisms and induce the generation of inappropriate content. Existing jailbreak attacks primarily rely on crafting inducement prompts for direct jailbreaks, which are less effective against large models with robust filtering and high comprehension abilities. Given the increasing demand for real-time capabilities in large language models, real-time updates and iterations of new knowledge have become essential. Retrieval-Augmented Generation (RAG), an advanced technique to compensate for the model's lack of new knowledge, is gradually becoming mainstream. As RAG enables the model to utilize external knowledge bases, it provides a new avenue for jailbreak attacks. In this paper, we conduct the first work to propose the concept of indirect jailbreak and achieve Retrieval-Augmented Generation via LangChain. Building on this, we further design a novel method of indirect jailbreak attack, termed Poisoned-LangChain (PLC), which leverages a poisoned external knowledge base to interact with large language models, thereby causing the large models to generate malicious non-compliant dialogues.We tested this method on six different large language models across three major categories of jailbreak issues. The experiments demonstrate that PLC successfully implemented indirect jailbreak attacks under three different scenarios, achieving success rates of 88.56%, 79.04%, and 82.69% respectively.

翻译：随着自然语言处理（NLP）的发展，大语言模型（LLM）正变得越来越普及。LLM正日益融入日常生活，引发了公众对其安全漏洞的担忧。因此，大语言模型的安全性变得至关重要。目前，针对LLM的攻击与防御技术持续演进。一类重要的攻击方法是越狱攻击，其旨在规避模型的安全机制并诱导生成不当内容。现有的越狱攻击主要依赖于精心设计诱导提示进行直接越狱，这对于具备强大过滤和高理解能力的大模型效果有限。鉴于大语言模型对实时能力的需求日益增长，新知识的实时更新与迭代变得必不可少。检索增强生成（RAG）作为一种弥补模型新知识不足的先进技术，正逐渐成为主流。由于RAG使模型能够利用外部知识库，这为越狱攻击提供了新的途径。在本文中，我们首次提出间接越狱的概念，并通过LangChain实现检索增强生成。在此基础上，我们进一步设计了一种新颖的间接越狱攻击方法，称为中毒的LangChain（PLC），该方法利用中毒的外部知识库与大语言模型交互，从而导致大模型生成恶性的违规对话。我们在六种不同的大语言模型上，针对三大类越狱问题测试了该方法。实验表明，PLC在三种不同场景下成功实施了间接越狱攻击，成功率分别达到88.56%、79.04%和82.69%。