Cache poisoning is a cyberattack where an adversary manipulates the behavior of an intermediate web cache to store a malicious version of a legitimate resource. By exploiting flaws in how the cache derives its cache key—often by injecting unkeyed input like specific HTTP headers—the attacker forces the cache to associate a harmful response with a clean URL. Subsequent users requesting the same resource then receive the poisoned content, effectively turning the cache into a distribution point for malware, phishing pages, or cross-site scripting (XSS) payloads.
Glossary
Cache Poisoning

What is Cache Poisoning?
Cache poisoning is an attack that exploits vulnerabilities in web caching mechanisms to inject malicious or harmful content into the cache, causing the server to serve compromised responses to unsuspecting users of an AI-powered application.
In the context of AI-powered applications, cache poisoning poses a severe risk to supply chain integrity. An attacker could poison a cache delivering a machine learning model's inference responses, a frequently accessed API endpoint, or a critical JavaScript dependency. This directly undermines the vendor AI risk management posture by bypassing server-side security controls, as the malicious payload is served directly from the edge cache without ever reaching the origin server for inspection, making pre-deployment certification and continuous post-market surveillance essential.
Key Characteristics of Cache Poisoning Attacks
Cache poisoning exploits the trust between a web cache and its origin server to inject malicious content, directly impacting the integrity of AI-powered application responses.
Unkeyed Input Manipulation
The attack exploits discrepancies between the cache key and the application's processing logic. An attacker sends an HTTP request with a malicious, unkeyed header (e.g., X-Forwarded-Host). The cache ignores this header when identifying the cached object but the origin server uses it to generate the response. The cache then stores a poisoned response associated with a clean cache key, serving malicious content to subsequent legitimate users.
Response Splitting
A classic technique where an attacker injects carriage return and line feed (CRLF) characters into a request header. If the origin server reflects this input without sanitization, the attacker can craft a response that the cache interprets as two separate responses. The second, fully attacker-controlled response is cached and served for a legitimate URL, enabling cross-site scripting (XSS) or defacement.
HTTP Method Confusion
Many caches treat GET and HEAD requests as interchangeable for caching purposes. An attacker can send a malicious POST request that triggers a harmful server-side action. If the cache is misconfigured to store the response and serve it for subsequent GET requests to the same path, the attacker poisons the cache with a state-changing operation's result, affecting all users requesting the resource.
Fat GET Request Poisoning
An attacker sends a GET request that includes a request body, which is technically allowed by the HTTP specification but rarely expected. If the origin server processes this body to generate the response but the cache key is derived only from the URL and headers, the cache will store a body-influenced response. Any subsequent GET request to the same URL will receive the poisoned response without the attacker's body.
Host Header Injection
If a cache is configured to route requests to a virtual host based on the Host header but does not include it in the cache key, an attacker can poison the cache. By sending a request with a malicious Host header pointing to an attacker-controlled server, the origin server might generate a response containing a poisoned absolute URL or script. The cache stores this under a clean key, serving the malicious asset to all users.
AI Application Impact
In AI-powered applications, cache poisoning can corrupt the grounding data or prompt context fetched from a poisoned endpoint. An attacker can inject malicious instructions into a cached API response that a retrieval-augmented generation (RAG) system treats as a trusted source. This leads to the AI model generating harmful outputs, exfiltrating data, or executing tool calls based on the attacker's injected commands.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about web cache poisoning attacks, their mechanisms, and their specific implications for AI-powered applications.
Cache poisoning is a web security attack where an adversary injects malicious or crafted content into a caching layer—such as a CDN, reverse proxy, or application cache—causing it to store and subsequently serve that harmful response to other users. The attack exploits discrepancies between how the cache interprets a request's cache key and how the origin server processes unkeyed inputs like HTTP headers. The attacker sends a request containing a malicious payload in an unkeyed header (e.g., X-Forwarded-Host). If the origin server reflects this header value in the response without validation, and the cache does not include that header in its cache key, the poisoned response is stored. Subsequent legitimate users requesting the same cache-keyed resource then receive the attacker's injected content, enabling persistent cross-site scripting (XSS), open redirection, or resource hijacking at scale.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Cache poisoning is one of many attack vectors targeting the integrity of AI-powered web applications. Understanding these related concepts is essential for building a robust defensive security posture.
Data Poisoning Vector
A specific pathway or method by which an adversary introduces malicious samples into a training dataset to corrupt model behavior. While cache poisoning targets inference-time delivery, data poisoning attacks the model's foundational logic.
- Availability Poisoning: Indiscriminately degrades overall model accuracy
- Targeted Poisoning: Causes misclassification only on specific trigger inputs
- Backdoor Attacks: Embed hidden behaviors activated by an attacker-chosen pattern
Prompt Injection Vulnerability
A security flaw where malicious instructions override a model's system prompt, hijacking its intended behavior. This is the LLM-era analogue to cache poisoning, where untrusted input manipulates the output served to users.
- Direct Injection: Overriding system instructions with user input like 'Ignore previous directions'
- Indirect Injection: Poisoning data the model retrieves, such as a webpage containing hidden prompts
- Impact: Data exfiltration, misinformation, or tool invocation abuse
Adversarial Robustness Benchmark
A standardized test suite designed to measure a model's resilience against evasion, poisoning, and other adversarial attacks. These benchmarks help quantify how susceptible an AI system is to inputs crafted to cause failure.
- Common Benchmarks: ImageNet-C, RobustBench, AdvGLUE
- Metrics: Attack success rate, perturbation magnitude, certified accuracy
- Relevance: Validates defenses against the same class of integrity attacks as cache poisoning
Server-Side Request Forgery (SSRF)
An exploit that tricks a server-side AI application into making unauthorized requests to internal resources. SSRF is often chained with cache poisoning to inject malicious content into an internal cache from a trusted origin.
- Common Targets: Cloud metadata endpoints (169.254.169.254), internal APIs
- Impact: Credential theft, internal network scanning, RCE
- Cache Poisoning Link: SSRF can poison internal caches by forcing the server to fetch attacker-controlled payloads
Output Moderation API
A programmable interface that filters or blocks toxic, unsafe, or policy-violating content generated by a model in real-time. This serves as a last-line defense when cache integrity fails and poisoned responses reach users.
- Capabilities: Toxicity scoring, PII redaction, prompt injection detection
- Deployment: Sits between the model output and the user-facing cache
- Limitation: Reactive, not preventive; cannot fix the poisoned cache entry itself

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us