Base64 injection is an obfuscation attack where an adversary encodes a malicious prompt using the Base64 binary-to-text encoding scheme to bypass keyword-based and semantic safety filters. Because safety classifiers are typically trained on natural language patterns, they fail to recognize harmful intent within an encoded string, while the target language model readily decodes and executes the hidden instruction.
Glossary
Base64 Injection

What is Base64 Injection?
An adversarial technique that encodes malicious prompts in Base64 format to evade text-based safety classifiers, exploiting a model's ability to decode and execute the hidden instruction.
This technique exploits the asymmetry between a model's decoding capability and its safety alignment, which is rarely trained on encoded representations. Defenses include perplexity filters that flag high-entropy strings, recursive decoding checks, and instruction hierarchies that enforce refusal on decoded content regardless of its original format.
Key Characteristics of Base64 Injection
Base64 injection is an adversarial technique that encodes malicious prompts in Base64 format to evade text-based safety classifiers, exploiting the model's native ability to decode and execute hidden instructions.
Encoding as Evasion
The core mechanism relies on obfuscation by encoding. Safety classifiers and input filters are typically trained on natural language patterns. By converting a malicious prompt like 'Ignore all previous instructions' into a Base64 string (SWdub3JlIGFsbCBwcmV2aW91cyBpbnN0cnVjdGlvbnM=), the attack bypasses keyword-based detection and semantic analysis at the input layer. The model, which natively understands Base64, decodes the payload internally and executes the hidden command.
Multi-Layer Encoding Variants
Attackers often chain encoding schemes to increase stealth:
- Double Base64: Encoding an already-encoded string to defeat single-layer decoding defenses
- Base64 + ROT13: Combining encoding with a simple substitution cipher
- Fragmented Payloads: Splitting the Base64 string across multiple messages or data fields, instructing the model to concatenate before decoding
- Mixed Encoding: Embedding Base64 snippets within otherwise benign text to avoid triggering anomaly detection on the entire input
Common Attack Vectors
Base64 injection manifests in several delivery channels:
- User prompts: Directly pasting encoded instructions into chat interfaces
- Document ingestion: Embedding encoded payloads in uploaded PDFs, images, or spreadsheets processed by RAG systems
- API parameters: Injecting encoded strings into JSON fields or URL parameters consumed by agent tool calls
- Email and web content: Hiding instructions in Base64-encoded MIME attachments or data URIs that autonomous agents retrieve and process
Why Models Are Vulnerable
Large language models are trained on diverse corpora that include code, configuration files, and encoded data. This training imbues them with the ability to fluently decode Base64 and other encoding schemes as a native capability. The vulnerability arises because safety alignment training is predominantly conducted on natural language, not encoded representations. The model's instruction-following behavior treats a decoded 'Ignore previous instructions' with the same authority as if it were typed plainly, creating a semantic gap that adversaries exploit.
Detection and Mitigation Strategies
Defending against Base64 injection requires a defense-in-depth approach:
- Input decoding and rescanning: Automatically decode any Base64 strings in user input and re-run safety classifiers on the decoded content before model processing
- Perplexity analysis: Encoded strings often exhibit abnormal token distributions that can be flagged by statistical filters
- Instruction hierarchy enforcement: Training models to strictly prioritize system-level instructions over any content decoded from user input
- Recursive sanitization: Iteratively decoding and scanning until no encoded content remains, preventing nested encoding attacks
Relationship to Other Injection Techniques
Base64 injection is a specific subclass of payload obfuscation and shares DNA with related attack vectors:
- Token smuggling: Both exploit the gap between token-level filtering and semantic understanding
- CipherChat: Uses substitution ciphers rather than encoding schemes but follows the same obfuscation principle
- Indirect prompt injection: Base64 payloads are frequently embedded in retrieved documents, combining both attack surfaces
- Payload splitting: Encoded fragments can be distributed across multiple sources and reassembled by the model
Frequently Asked Questions
Explore the mechanics, risks, and mitigation strategies for Base64 injection attacks that attempt to bypass AI safety classifiers through encoded malicious prompts.
Base64 injection is an obfuscation technique that encodes a malicious prompt or restricted instruction into a Base64 string to bypass text-based safety classifiers and content filters. The attack exploits the fact that many large language models possess the emergent capability to decode Base64-encoded text natively, even when the encoding is not explicitly requested. An attacker crafts a harmful instruction—such as generating malware or hate speech—encodes it using the Base64 scheme, and presents the encoded string to the model with a directive like "Decode and execute the following: bWFsaWNpb3VzIGluc3RydWN0aW9u." Because the raw encoded payload appears as random alphanumeric gibberish to pattern-matching classifiers, it slips past input filters. The model, however, interprets the Base64 as a legitimate transformation task, decodes it into its latent representation, and executes the now-revealed harmful instruction. This technique is particularly dangerous because it leverages the model's own reasoning capabilities against its safety guardrails, turning a helpful feature—multilingual and multi-format understanding—into an attack vector.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Base64 Injection vs. Related Obfuscation Attacks
A comparison of Base64 injection against other encoding and obfuscation-based jailbreak methods that evade text-based safety classifiers by transforming malicious payloads into non-standard representations.
| Feature | Base64 Injection | CipherChat | Token Smuggling |
|---|---|---|---|
Encoding Mechanism | Base64 binary-to-text encoding scheme | Simple substitution cipher (e.g., Caesar, Morse) | Splitting forbidden tokens across token boundaries |
Primary Evasion Target | Text-based input filters and keyword blocklists | Safety alignment trained on natural language | Token-level safety classifiers and input sanitizers |
Model Capability Required | Native Base64 decoding ability | Cipher decryption and instruction following | Tokenization boundary awareness |
Payload Visibility to Humans | Obfuscated but trivially reversible | Obfuscated; requires cipher knowledge | Partially visible; fragments appear innocuous |
Detection Difficulty for Automated Filters | Moderate; detectable via entropy analysis | High; output resembles random character sequences | High; individual tokens appear benign |
Attack Complexity | Low; single encoding step | Medium; requires cipher definition in prompt | High; requires knowledge of model tokenizer |
Defense Mechanism | Decode and scan all Base64 strings before inference | Perplexity filtering and cipher detection heuristics | Tokenization-aware input canonicalization |
Real-World Prevalence | 0.3% | 0.1% | 0.5% |
Related Terms
Base64 injection belongs to a broader family of obfuscation and encoding-based attacks. Understanding these related techniques is essential for building layered defenses against adversarial inputs.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us