Inferensys

Glossary

Cache Poisoning

Cache poisoning is a security attack where an adversary injects malicious or corrupted data into a cache, causing the system to serve compromised responses to legitimate users.
Isolated secure server room with network cables physically disconnected, minimal lighting, security-focused environment.
SECURITY ATTACK VECTOR

What is Cache Poisoning?

Cache poisoning is a security attack where an adversary injects malicious or corrupted data into the cache, causing the system to serve compromised responses to legitimate users.

Cache poisoning is a targeted attack against caching infrastructure where an attacker exploits vulnerabilities to insert falsified entries into the cache store. Unlike cache evasion, which bypasses the cache, poisoning corrupts the cache itself so that subsequent legitimate requests receive malicious or corrupted responses directly from the cache layer without ever reaching the origin server or model.

In sovereign inference caching, poisoning can cause an LLM cache to serve compromised embeddings or manipulated responses, potentially spreading disinformation or exfiltrating data. Mitigations include strict input validation, cryptographic integrity checks on cached entries, and tenant isolation to prevent cross-user contamination within shared cache layers.

THREAT VECTOR ANALYSIS

Key Characteristics of Cache Poisoning

Cache poisoning is a targeted attack on data integrity where an adversary injects malicious or corrupted entries into the caching layer, causing the system to serve compromised responses to legitimate users. Unlike simple cache corruption, poisoning exploits the trust relationship between the cache and its consumers.

01

Semantic Injection Vectors

Attackers exploit the semantic matching logic of modern caches by crafting queries that are semantically adjacent to legitimate requests but carry malicious payloads. In sovereign inference caching, an adversary might submit a prompt whose embedding falls within the similarity threshold of a trusted query, causing the cache to associate a compromised LLM response with a high-traffic intent. This bypasses exact-key matching defenses and poisons the embedding space itself.

02

Response Manipulation Attacks

The attacker intercepts or manipulates the response from the origin model before it is written into the cache. Common techniques include:

  • Man-in-the-Middle (MITM) interception between the cache and inference endpoint
  • DNS spoofing to redirect cache miss requests to a rogue model server
  • API response tampering via compromised upstream dependencies Once the tainted response is cached, every subsequent cache hit serves the poisoned payload to unsuspecting users, amplifying the attack's blast radius.
03

Cache Key Collision Exploitation

Adversaries deliberately engineer hash collisions or predict cache key generation patterns to overwrite legitimate entries. In sovereign environments using Locality-Sensitive Hashing (LSH) for semantic caching, an attacker can generate adversarial examples—inputs specifically designed to produce the same hash bucket as a high-value target query. This causes the cache to evict or overwrite the genuine response with attacker-controlled content, effectively hijacking the cache slot.

04

Temporal Poisoning Windows

Cache poisoning often exploits predictable Time-To-Live (TTL) expiration patterns. Attackers monitor cache refresh cycles and time their injection to coincide with the moment a popular entry expires and the cache fetches a fresh copy. During this cache stampede vulnerability window, the adversary floods the origin with poisoned responses, hoping one gets cached before the legitimate response arrives. This race condition is particularly dangerous in high-concurrency sovereign inference deployments.

05

Cross-Tenant Poisoning

In multi-tenant sovereign caching layers with insufficient tenant isolation, an attacker in one tenant context can poison cache entries that are served to other tenants. This occurs when:

  • Cache keys lack proper namespace segmentation
  • Embedding spaces are shared across organizational boundaries
  • Eviction policies don't respect tenant-specific partitioning The result is lateral contamination where a compromised tenant poisons the inference outputs of unrelated, trusted users sharing the same cache infrastructure.
06

Cryptographic Integrity Defense

The primary mitigation is cryptographic signing of cache entries. Each response is hashed and signed by the trusted origin model using a hardware-backed root of trust. Before serving a cached response, the cache layer verifies the signature against a known public key. Any tampering invalidates the signature, triggering an automatic eviction and re-fetch. In sovereign deployments, this is combined with encrypted caches and immutable audit logs to provide non-repudiation of every served inference result.

THREAT DIFFERENTIATION

Cache Poisoning vs. Related Attack Vectors

A comparison of cache poisoning against adjacent security threats that target sovereign inference caching layers, highlighting distinct mechanisms, impacts, and mitigation scopes.

FeatureCache PoisoningData PoisoningPrompt Injection

Primary Target

Inference cache entries

Model training dataset

LLM prompt context

Attack Mechanism

Injecting malicious responses into the cache via crafted requests

Inserting corrupted or biased samples into training data

Embedding adversarial instructions in user input or retrieved documents

Persistence

Persists until TTL expiry or manual eviction

Persists until model retraining or unlearning

Transient; affects only the current inference session

Impact Scope

All users receiving the poisoned cached response

All downstream model outputs post-training

Single user session or conversation thread

Exploits Trust Boundary

Between cache and origin model

Between data pipeline and training process

Between user input and model instruction hierarchy

Primary Mitigation

Cryptographic cache key signing and input validation

Dataset provenance verification and anomaly detection

Input sanitization and instruction privilege separation

Sovereign Infrastructure Relevance

High: Compromises air-gapped response integrity

High: Corrupts locally fine-tuned models

Moderate: Exploits RAG pipelines and tool calls

Detection Difficulty

Moderate: Requires cache telemetry and checksum monitoring

High: Often detected only through model behavior drift

Low: Visible in anomalous output patterns

CACHE POISONING

Frequently Asked Questions

Cache poisoning is a critical security threat to sovereign inference infrastructure. These answers address the most common technical questions about how adversaries corrupt cached responses and how to defend against these attacks.

Cache poisoning is a security attack where an adversary injects malicious, corrupted, or fabricated data into a caching layer, causing the system to serve compromised responses to legitimate users. The attack exploits the trust relationship between the cache and its origin data source.

In the context of sovereign inference caching, an attacker might manipulate the semantic similarity threshold to associate a benign query embedding with a malicious response. When a legitimate user submits a semantically similar prompt, the cache returns the poisoned entry instead of a safe, computed response.

Common attack vectors include:

  • HTTP header manipulation: Exploiting unkeyed headers like X-Forwarded-Host to generate cache keys that collide with legitimate entries.
  • Request smuggling: Crafting ambiguous requests that desynchronize the cache's parsing from the origin server's interpretation.
  • Embedding collision attacks: Generating adversarial inputs that produce embeddings artificially close to target queries in the vector space.

The poisoned response persists in the cache until its Time-To-Live (TTL) expires or manual invalidation occurs, potentially affecting thousands of users who receive the corrupted output.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.