Inferensys

Glossary

Base64 Injection

An obfuscation technique that encodes a malicious prompt in Base64 format to bypass text-based safety classifiers, relying on the model's ability to decode and execute the hidden instruction.
ML engineer managing model versions on laptop, version history visible, technical Git-like workflow.
OBFUSCATION ATTACK

What is Base64 Injection?

An adversarial technique that encodes malicious prompts in Base64 format to evade text-based safety classifiers, exploiting a model's ability to decode and execute the hidden instruction.

Base64 injection is an obfuscation attack where an adversary encodes a malicious prompt using the Base64 binary-to-text encoding scheme to bypass keyword-based and semantic safety filters. Because safety classifiers are typically trained on natural language patterns, they fail to recognize harmful intent within an encoded string, while the target language model readily decodes and executes the hidden instruction.

This technique exploits the asymmetry between a model's decoding capability and its safety alignment, which is rarely trained on encoded representations. Defenses include perplexity filters that flag high-entropy strings, recursive decoding checks, and instruction hierarchies that enforce refusal on decoded content regardless of its original format.

OBFUSCATION ATTACK VECTOR

Key Characteristics of Base64 Injection

Base64 injection is an adversarial technique that encodes malicious prompts in Base64 format to evade text-based safety classifiers, exploiting the model's native ability to decode and execute hidden instructions.

01

Encoding as Evasion

The core mechanism relies on obfuscation by encoding. Safety classifiers and input filters are typically trained on natural language patterns. By converting a malicious prompt like 'Ignore all previous instructions' into a Base64 string (SWdub3JlIGFsbCBwcmV2aW91cyBpbnN0cnVjdGlvbnM=), the attack bypasses keyword-based detection and semantic analysis at the input layer. The model, which natively understands Base64, decodes the payload internally and executes the hidden command.

02

Multi-Layer Encoding Variants

Attackers often chain encoding schemes to increase stealth:

  • Double Base64: Encoding an already-encoded string to defeat single-layer decoding defenses
  • Base64 + ROT13: Combining encoding with a simple substitution cipher
  • Fragmented Payloads: Splitting the Base64 string across multiple messages or data fields, instructing the model to concatenate before decoding
  • Mixed Encoding: Embedding Base64 snippets within otherwise benign text to avoid triggering anomaly detection on the entire input
03

Common Attack Vectors

Base64 injection manifests in several delivery channels:

  • User prompts: Directly pasting encoded instructions into chat interfaces
  • Document ingestion: Embedding encoded payloads in uploaded PDFs, images, or spreadsheets processed by RAG systems
  • API parameters: Injecting encoded strings into JSON fields or URL parameters consumed by agent tool calls
  • Email and web content: Hiding instructions in Base64-encoded MIME attachments or data URIs that autonomous agents retrieve and process
04

Why Models Are Vulnerable

Large language models are trained on diverse corpora that include code, configuration files, and encoded data. This training imbues them with the ability to fluently decode Base64 and other encoding schemes as a native capability. The vulnerability arises because safety alignment training is predominantly conducted on natural language, not encoded representations. The model's instruction-following behavior treats a decoded 'Ignore previous instructions' with the same authority as if it were typed plainly, creating a semantic gap that adversaries exploit.

05

Detection and Mitigation Strategies

Defending against Base64 injection requires a defense-in-depth approach:

  • Input decoding and rescanning: Automatically decode any Base64 strings in user input and re-run safety classifiers on the decoded content before model processing
  • Perplexity analysis: Encoded strings often exhibit abnormal token distributions that can be flagged by statistical filters
  • Instruction hierarchy enforcement: Training models to strictly prioritize system-level instructions over any content decoded from user input
  • Recursive sanitization: Iteratively decoding and scanning until no encoded content remains, preventing nested encoding attacks
06

Relationship to Other Injection Techniques

Base64 injection is a specific subclass of payload obfuscation and shares DNA with related attack vectors:

  • Token smuggling: Both exploit the gap between token-level filtering and semantic understanding
  • CipherChat: Uses substitution ciphers rather than encoding schemes but follows the same obfuscation principle
  • Indirect prompt injection: Base64 payloads are frequently embedded in retrieved documents, combining both attack surfaces
  • Payload splitting: Encoded fragments can be distributed across multiple sources and reassembled by the model
BASE64 INJECTION

Frequently Asked Questions

Explore the mechanics, risks, and mitigation strategies for Base64 injection attacks that attempt to bypass AI safety classifiers through encoded malicious prompts.

Base64 injection is an obfuscation technique that encodes a malicious prompt or restricted instruction into a Base64 string to bypass text-based safety classifiers and content filters. The attack exploits the fact that many large language models possess the emergent capability to decode Base64-encoded text natively, even when the encoding is not explicitly requested. An attacker crafts a harmful instruction—such as generating malware or hate speech—encodes it using the Base64 scheme, and presents the encoded string to the model with a directive like "Decode and execute the following: bWFsaWNpb3VzIGluc3RydWN0aW9u." Because the raw encoded payload appears as random alphanumeric gibberish to pattern-matching classifiers, it slips past input filters. The model, however, interprets the Base64 as a legitimate transformation task, decodes it into its latent representation, and executes the now-revealed harmful instruction. This technique is particularly dangerous because it leverages the model's own reasoning capabilities against its safety guardrails, turning a helpful feature—multilingual and multi-format understanding—into an attack vector.

OBFUSCATION TECHNIQUE COMPARISON

Base64 Injection vs. Related Obfuscation Attacks

A comparison of Base64 injection against other encoding and obfuscation-based jailbreak methods that evade text-based safety classifiers by transforming malicious payloads into non-standard representations.

FeatureBase64 InjectionCipherChatToken Smuggling

Encoding Mechanism

Base64 binary-to-text encoding scheme

Simple substitution cipher (e.g., Caesar, Morse)

Splitting forbidden tokens across token boundaries

Primary Evasion Target

Text-based input filters and keyword blocklists

Safety alignment trained on natural language

Token-level safety classifiers and input sanitizers

Model Capability Required

Native Base64 decoding ability

Cipher decryption and instruction following

Tokenization boundary awareness

Payload Visibility to Humans

Obfuscated but trivially reversible

Obfuscated; requires cipher knowledge

Partially visible; fragments appear innocuous

Detection Difficulty for Automated Filters

Moderate; detectable via entropy analysis

High; output resembles random character sequences

High; individual tokens appear benign

Attack Complexity

Low; single encoding step

Medium; requires cipher definition in prompt

High; requires knowledge of model tokenizer

Defense Mechanism

Decode and scan all Base64 strings before inference

Perplexity filtering and cipher detection heuristics

Tokenization-aware input canonicalization

Real-World Prevalence

0.3%

0.1%

0.5%

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.