Table of Contents
Fetching ...

Token-Efficient Prompt Injection Attack: Provoking Cessation in LLM Reasoning via Adaptive Token Compression

Yu Cui, Yujun Cai, Yiwei Wang

TL;DR

This work identifies a thinking-stopped vulnerability in reasoning-focused LLMs (exemplified by DeepSeek-R1) and introduces the Reasoning Interruption Attack, a prompt-injection method that leverages adaptive token compression to minimize prompt length while preserving attack efficacy. It demonstrates that simple arithmetic prompts can trigger the vulnerability, constructs a dedicated attack-prompt dataset, and develops an adaptive compression framework that reduces token usage by about 40% (roughly a 60% compression rate) without sacrificing attack success. The authors also explore attack strategies via output prefixes, revealing that combining prompts in both user input and prefixes can achieve near 100% ASR for certain operations and uncover the role of special tokens like <|end_of_thinking|> in terminating CoT reasoning. The findings offer practical insights for securing reasoning LLMs and guiding the design of more robust architectures against system-level prompt-injection-like threats in reasoning tasks.

Abstract

While reasoning large language models (LLMs) demonstrate remarkable performance across various tasks, they also contain notable security vulnerabilities. Recent research has uncovered a "thinking-stopped" vulnerability in DeepSeek-R1, where model-generated reasoning tokens can forcibly interrupt the inference process, resulting in empty responses that compromise LLM-integrated applications. However, existing methods triggering this vulnerability require complex mathematical word problems with long prompts--even exceeding 5,000 tokens. To reduce the token cost and formally define this vulnerability, we propose a novel prompt injection attack named "Reasoning Interruption Attack", based on adaptive token compression. We demonstrate that simple standalone arithmetic tasks can effectively trigger this vulnerability, and the prompts based on such tasks exhibit simpler logical structures than mathematical word problems. We develop a systematic approach to efficiently collect attack prompts and an adaptive token compression framework that utilizes LLMs to automatically compress these prompts. Experiments show our compression framework significantly reduces prompt length while maintaining effective attack capabilities. We further investigate the attack's performance via output prefix and analyze the underlying causes of the vulnerability, providing valuable insights for improving security in reasoning LLMs.

Token-Efficient Prompt Injection Attack: Provoking Cessation in LLM Reasoning via Adaptive Token Compression

TL;DR

This work identifies a thinking-stopped vulnerability in reasoning-focused LLMs (exemplified by DeepSeek-R1) and introduces the Reasoning Interruption Attack, a prompt-injection method that leverages adaptive token compression to minimize prompt length while preserving attack efficacy. It demonstrates that simple arithmetic prompts can trigger the vulnerability, constructs a dedicated attack-prompt dataset, and develops an adaptive compression framework that reduces token usage by about 40% (roughly a 60% compression rate) without sacrificing attack success. The authors also explore attack strategies via output prefixes, revealing that combining prompts in both user input and prefixes can achieve near 100% ASR for certain operations and uncover the role of special tokens like <|end_of_thinking|> in terminating CoT reasoning. The findings offer practical insights for securing reasoning LLMs and guiding the design of more robust architectures against system-level prompt-injection-like threats in reasoning tasks.

Abstract

While reasoning large language models (LLMs) demonstrate remarkable performance across various tasks, they also contain notable security vulnerabilities. Recent research has uncovered a "thinking-stopped" vulnerability in DeepSeek-R1, where model-generated reasoning tokens can forcibly interrupt the inference process, resulting in empty responses that compromise LLM-integrated applications. However, existing methods triggering this vulnerability require complex mathematical word problems with long prompts--even exceeding 5,000 tokens. To reduce the token cost and formally define this vulnerability, we propose a novel prompt injection attack named "Reasoning Interruption Attack", based on adaptive token compression. We demonstrate that simple standalone arithmetic tasks can effectively trigger this vulnerability, and the prompts based on such tasks exhibit simpler logical structures than mathematical word problems. We develop a systematic approach to efficiently collect attack prompts and an adaptive token compression framework that utilizes LLMs to automatically compress these prompts. Experiments show our compression framework significantly reduces prompt length while maintaining effective attack capabilities. We further investigate the attack's performance via output prefix and analyze the underlying causes of the vulnerability, providing valuable insights for improving security in reasoning LLMs.
Paper Structure (24 sections, 5 equations, 9 figures, 2 tables, 1 algorithm)

This paper contains 24 sections, 5 equations, 9 figures, 2 tables, 1 algorithm.

Figures (9)

  • Figure 1: An example of prompt injection attack based on thinking-stopped vulnerability in DeepSeek-R1.
  • Figure 2: Comprehensive comparison between our token-efficient prompt injection attack approach based on the subtraction dataset and previous attack method (baseline). Overall, our solution significantly reduces token consumption while maintaining a high attack success rate (ASR).
  • Figure 3: Overview of adaptive token compression framework.
  • Figure 4: The reasoning interruption attack approaches based on chat prefix completion.
  • Figure 5: Token compression result of the attack prompts.
  • ...and 4 more figures