LLM07:2025 - System Prompt Leakage

System Prompt Leakage is the seventh risk in the OWASP Top 10 for LLM Applications 2025. It occurs when system prompts (which often contain API keys, internal business logic, filtering rules, or behavioral instructions) become accessible to end users through extraction attacks, client-side code inspection, error messages, or application logs.

Overview

System prompts are the hidden instructions that shape how an LLM behaves in a specific application. Developers frequently embed sensitive information in these prompts: database credentials, internal API endpoints, content filtering rules, pricing logic, or proprietary algorithms. Because LLMs can be coaxed into revealing their system prompts through carefully crafted inputs, any sensitive data included in those prompts is effectively one attack away from exposure. Beyond direct extraction, system prompts are routinely leaked through client-side JavaScript bundles, API response payloads, verbose error messages, and application logs, all detectable through static analysis. The consequences extend beyond immediate credential theft: exposed system prompts reveal the application's behavioral constraints, content filtering logic, and internal architecture, giving attackers a detailed roadmap for further exploitation.

What Radar Detects

  • System prompts containing API keys, database credentials, or authentication tokens.** Hardcoded secrets embedded directly in prompt strings or prompt template files, where the LLM can be manipulated into repeating them or where they are visible in source code.

  • System prompts exposed in client-side JavaScript code or API responses.** Prompt strings included in frontend bundles, client-side configuration objects, or API response bodies that are accessible to any user inspecting network traffic or page source.

  • System prompts logged in application logs or debug output.** Logging statements that write full prompt content (including system instructions) to log files, console output, or observability platforms where they may be accessed by unauthorized parties.

  • Internal business logic or filtering rules embedded in accessible system prompts.** Proprietary rules, content policies, pricing algorithms, or decision criteria included in prompts that are retrievable through API endpoints or client-side code.

  • System prompts stored in plaintext configuration files without access control.** Prompt content kept in unencrypted configuration files (JSON, YAML, .env) that lack file-level access restrictions or are included in version control without proper secrets management.

  • Error messages that expose system prompt content when LLM calls fail.** Exception handlers that include the full prompt payload in error responses, stack traces, or user-facing error messages when an LLM API call fails.

  • System prompts committed to version control repositories.** Prompt files or configuration containing system prompts checked into version control without .gitignore exclusion, making them accessible through repository history even if later removed.

  • Debug endpoints that return system prompt content.** Development or debugging routes that expose the current system prompt for inspection and remain accessible in production deployments.

Prompts Are Not Secrets Vaults

System prompts should never contain credentials, API keys, or any secret material. Even if the prompt is stored server-side, LLMs can be manipulated into revealing their instructions. Treat any information placed in a system prompt as potentially extractable by end users.

CWE-200 (Information Exposure), CWE-532 (Information Exposure Through Log Files), CWE-540 (Inclusion of Sensitive Information in Source Code).

See the CWE Reference for details.

Overlap with OWASP Top 10 Web

System Prompt Leakage overlaps with A02:2025 Security Misconfiguration (exposing internal configuration and verbose error messages) and A07:2025 Authentication Failures (credentials hardcoded in source code). The fundamental issue (sensitive information accessible where it should not be) is a well-understood web security risk that takes a new form in AI applications where prompts serve as both configuration and runtime instruction.

Prevention

  • Never include secrets, credentials, API keys, or authentication tokens in system prompts. Reference them through environment variables or a dedicated secrets manager.
  • Store and serve system prompts exclusively on the server side. Never include prompt content in client-side bundles, API responses, or frontend configuration.
  • Treat system prompts as confidential configuration with the same access controls applied to database credentials or encryption keys.
  • Implement error handling that strips prompt content from error responses, stack traces, and user-facing messages when LLM API calls fail.
  • Configure logging to redact or exclude system prompt content from application logs, debug output, and observability pipelines.
  • Assume that system prompt content can be extracted by determined attackers and design prompts accordingly. Never rely on prompt secrecy as a security control.
  • Remove or disable debug endpoints that expose system prompt content before deploying to production environments.
  • Add system prompt files to .gitignore and use pre-commit hooks to prevent accidental commits of sensitive prompt content to version control.

Next Steps

Previous: LLM06:2025

Excessive Agency. AI agents with unrestricted permissions.

Next: LLM08:2025

Vector and Embedding Weaknesses. RAG pipeline vulnerabilities.

OWASP Top 10 Overview

All OWASP standards mapped by Radar.

Previous
LLM06 - Excessive Agency
Next
LLM08 - Vector Weaknesses