Inferensys

Glossary

Cache Poisoning

Cache poisoning is a cyberattack that injects malicious data into a web cache, causing it to serve harmful responses to users of AI-powered applications.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
WEB SECURITY VULNERABILITY

What is Cache Poisoning?

Cache poisoning is an attack that exploits vulnerabilities in web caching mechanisms to inject malicious or harmful content into the cache, causing the server to serve compromised responses to unsuspecting users of an AI-powered application.

Cache poisoning is a cyberattack where an adversary manipulates the behavior of an intermediate web cache to store a malicious version of a legitimate resource. By exploiting flaws in how the cache derives its cache key—often by injecting unkeyed input like specific HTTP headers—the attacker forces the cache to associate a harmful response with a clean URL. Subsequent users requesting the same resource then receive the poisoned content, effectively turning the cache into a distribution point for malware, phishing pages, or cross-site scripting (XSS) payloads.

In the context of AI-powered applications, cache poisoning poses a severe risk to supply chain integrity. An attacker could poison a cache delivering a machine learning model's inference responses, a frequently accessed API endpoint, or a critical JavaScript dependency. This directly undermines the vendor AI risk management posture by bypassing server-side security controls, as the malicious payload is served directly from the edge cache without ever reaching the origin server for inspection, making pre-deployment certification and continuous post-market surveillance essential.

ATTACK VECTORS

Key Characteristics of Cache Poisoning Attacks

Cache poisoning exploits the trust between a web cache and its origin server to inject malicious content, directly impacting the integrity of AI-powered application responses.

01

Unkeyed Input Manipulation

The attack exploits discrepancies between the cache key and the application's processing logic. An attacker sends an HTTP request with a malicious, unkeyed header (e.g., X-Forwarded-Host). The cache ignores this header when identifying the cached object but the origin server uses it to generate the response. The cache then stores a poisoned response associated with a clean cache key, serving malicious content to subsequent legitimate users.

02

Response Splitting

A classic technique where an attacker injects carriage return and line feed (CRLF) characters into a request header. If the origin server reflects this input without sanitization, the attacker can craft a response that the cache interprets as two separate responses. The second, fully attacker-controlled response is cached and served for a legitimate URL, enabling cross-site scripting (XSS) or defacement.

03

HTTP Method Confusion

Many caches treat GET and HEAD requests as interchangeable for caching purposes. An attacker can send a malicious POST request that triggers a harmful server-side action. If the cache is misconfigured to store the response and serve it for subsequent GET requests to the same path, the attacker poisons the cache with a state-changing operation's result, affecting all users requesting the resource.

04

Fat GET Request Poisoning

An attacker sends a GET request that includes a request body, which is technically allowed by the HTTP specification but rarely expected. If the origin server processes this body to generate the response but the cache key is derived only from the URL and headers, the cache will store a body-influenced response. Any subsequent GET request to the same URL will receive the poisoned response without the attacker's body.

05

Host Header Injection

If a cache is configured to route requests to a virtual host based on the Host header but does not include it in the cache key, an attacker can poison the cache. By sending a request with a malicious Host header pointing to an attacker-controlled server, the origin server might generate a response containing a poisoned absolute URL or script. The cache stores this under a clean key, serving the malicious asset to all users.

06

AI Application Impact

In AI-powered applications, cache poisoning can corrupt the grounding data or prompt context fetched from a poisoned endpoint. An attacker can inject malicious instructions into a cached API response that a retrieval-augmented generation (RAG) system treats as a trusted source. This leads to the AI model generating harmful outputs, exfiltrating data, or executing tool calls based on the attacker's injected commands.

CACHE POISONING

Frequently Asked Questions

Clear, technically precise answers to the most common questions about web cache poisoning attacks, their mechanisms, and their specific implications for AI-powered applications.

Cache poisoning is a web security attack where an adversary injects malicious or crafted content into a caching layer—such as a CDN, reverse proxy, or application cache—causing it to store and subsequently serve that harmful response to other users. The attack exploits discrepancies between how the cache interprets a request's cache key and how the origin server processes unkeyed inputs like HTTP headers. The attacker sends a request containing a malicious payload in an unkeyed header (e.g., X-Forwarded-Host). If the origin server reflects this header value in the response without validation, and the cache does not include that header in its cache key, the poisoned response is stored. Subsequent legitimate users requesting the same cache-keyed resource then receive the attacker's injected content, enabling persistent cross-site scripting (XSS), open redirection, or resource hijacking at scale.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.