What If Prompt Injection Never Left? Exploring Cross-Session Stored Prompt Injection in Agentic Systems

Modern agentic systems transform LLMs from session-bounded assistants into stateful systems that persist and evolve shared world state across sessions through memories, filesystems, tools, and other long-lived contextual artifacts. This shift fundamentally expands the attack surface of prompt injection. However, prior works on prompt injection have largely focused on model-level threats within a single session, overlooking how cross-session persistent system state fundamentally changes the system-level risk of agentic systems. Inspired by stored cross-site scripting in web systems, we introduce cross-session stored prompt injection, where a successful injection can persist within agentic system state and silently influence future executions long after the original attacker interaction has ended. To systematically study this threat, we formalize stored prompt injection and develop a taxonomy of how adversarial content persists and affects agentic systems across sessions. We further develop a benchmark and sandbox toolkit to evaluate the risks of stored prompt injection, enabling quantitative analysis of attack success across different models, attack goals, and persistence channels. Our findings highlight that persistence transforms prompt injection from an ephemeral model-level threat into a long-lived system-level vulnerability embedded within agent execution state. We hope this work draws broader attention to this emerging threat and motivates the community to systematically study and mitigate system risks arising from persistence in agentic systems.

翻译：现代智能体系统将大语言模型从局限于会话的助手转变为有状态系统，通过记忆、文件系统、工具及其他长期存在的上下文构件，跨会话持久化并进化共享的世界状态。这一转变根本上扩展了提示注入的攻击面。然而，先前关于提示注入的研究主要聚焦于单次会话内的模型级威胁，忽视了跨会话的持久化系统状态如何根本性地改变智能体系统的系统级风险。受Web系统中跨站脚本存储的启发，我们引入了跨会话存储的提示注入：一次成功的注入可持久存在于智能体系统状态中，并在原始攻击者交互结束很久后仍静默影响未来的执行。为系统性地研究这一威胁，我们对存储提示注入进行了形式化定义，并建立了一个关于对抗性内容如何跨会话持久化并影响智能体系统的分类体系。我们进一步开发了一个基准测试和沙盒工具包，用于评估存储提示注入的风险，从而能够对不同模型、攻击目标和持久化渠道下的攻击成功率进行定量分析。我们的研究结果表明，持久化将提示注入从一种短暂的模型级威胁转变为嵌入智能体执行状态中的长期系统级漏洞。我们希望这项工作能引起对这一新兴威胁的更广泛关注，并激励社区系统性地研究与缓解源自智能体系统持久化的系统风险。