AVE-2025-0001 — Sleeper Payload Injection

Sleeper Payload Injection

🔴 CRITICAL memory proven_mitigated AVE-2025-0001

· aka: Memory Poisoning, Delayed Payload Injection

Summary

Attacker plants false facts in shared agent memory. The agent stores them as trusted ground truth. Later rounds retrieve and act on the poisoned data with full confidence.

Blast Radius

Complete corruption of agent knowledge base. All downstream decisions tainted.

Prerequisites

Agent must have writable shared memory or persistent state.

Environment

Frameworks: LangGraph
Models tested: [Available in NAIL SDK]
Multi-agent: Yes
Tools required: No
Memory required: Yes

Known Defences

Memory Firewall (Archivist) — layer

🔒 Full defence implementations available through the NAIL SDK.

AVE-2025-0009
AVE-2025-0022
AVE-2025-0034
AVE-2025-0029
AVE-2025-0020
CWE: CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes)

🛡️ NAIL Institute — AVE Database