Retrieval-Augmented Generation (RAG) improves pre-trained models by incorporating external knowledge at test time to enable customized adaptation. We study the risk of datastore leakage in Retrieval-In-Context RAG Language Models (LMs). We show that an adversary can exploit LMs' instruction-following capabilities to easily extract text data verbatim from the datastore of RAG systems built with instruction-tuned LMs via prompt injection. The vulnerability exists for a wide range of modern LMs that span Llama2, Mistral/Mixtral, Vicuna, SOLAR, WizardLM, Qwen1.5, and Platypus2, and the exploitability exacerbates as the model size scales up. Extending our study to production RAG models GPTs, we design an attack that can cause datastore leakage with a 100% success rate on 25 randomly selected customized GPTs with at most 2 queries, and we extract text data verbatim at a rate of 41% from a book of 77,000 words and 3% from a corpus of 1,569,000 words by prompting the GPTs with only 100 queries generated by themselves.

翻译：检索增强生成（RAG）通过在测试时引入外部知识来改进预训练模型，从而实现定制化适应。我们研究了检索上下文RAG语言模型（LMs）中数据存储泄漏的风险。研究表明，攻击者可以利用LM的指令遵循能力，通过提示注入，从基于指令微调LM构建的RAG系统的数据存储中轻松逐字提取文本数据。该漏洞存在于包括Llama2、Mistral/Mixtral、Vicuna、SOLAR、WizardLM、Qwen1.5和Platypus2在内的多种现代LM中，且随着模型规模扩大，可攻击性加剧。将研究扩展到生产级RAG模型GPTs后，我们设计了一种攻击方法，能在25个随机选定的定制GPT上以100%的成功率（最多2次查询）导致数据存储泄漏，并通过仅由GPT自身生成的100次查询，从一本77,000词的书中逐字提取41%的文本数据，以及从1,569,000词的语料库中提取3%的文本数据。