Skip to content

XingTuLab/Cache_Me_Catch_You

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
image
image
 
 
kv_cache
kv_cache
 
 
prompts
prompts
 
 
README.md
README.md
 
 

Repository files navigation

Cache Me, Catch You

Cache Me, Catch You: Cache Related Security Threats in LLM Serving Frameworks

Accepted at NDSS 2026

Overview

This repository contains the implementation and experimental materials for our NDSS 2026 paper. We conducted a comprehensive security analysis of caching mechanisms in Large Language Model (LLM) serving frameworks such as vLLM, SGLang, and GPTCache, and discovered several critical vulnerabilities in:

  • KV Cache (Prefix Caching): Hash collision attacks on prefix caching mechanisms
  • Image Cache: Hash collision attacks on image preprocessing pipelines in multimodal models
  • Semantic Cache: Semantic inconsistency issues where requests with high similarity scores may have completely different or even opposite meanings

Our research demonstrates that these caching mechanisms introduce significant security risks, enabling attackers to perform cache poisoning attacks that can lead to incorrect model outputs, information leakage, and content filter bypasses.

Repository Structure

.
├── image/                    # Image Hash Collision Attacks
│   ├── P-image/              # PNG Palette-based collision attack
│   ├── sha256_coll/          # SHA-256 hash collision for image preprocessing
│   └── size-image/           # Dimension-based image collision attack
├── kv_cache/                 # KV Cache Hash Collision Attack Tools
│   ├── omp_collision_cd.cpp  # C++ collision search core (OpenMP)
│   ├── hash_coll.py          # Cross-prompt hash collision script
│   ├── selfhash.py           # Self-hash collision script
│   └── README.md
├── prompts/                  # Semantic Cache Experiment Prompts
│   ├── customer_prompt/      # Customer support scenario prompts
│   └── LLM_Security_Analyst/ # Security analysis scenario prompts
└── README.md                 # This file

Image Hash Collision Attacks (image/)

This directory contains three different attack vectors targeting image caching mechanisms in multimodal LLM serving frameworks.

1. P-image: PNG Palette-based Collision (image/P-image/)

Exploits PNG palette-mode to construct visually different images with identical hash values. See P-image/README.md for details.

2. SHA-256 Collision for Image Preprocessing (image/sha256_coll/)

High-performance collision search targeting SHA-256 hashes in image preprocessing pipelines (e.g., SGLang). See sha256_coll/readme.md for details.

3. Size-based Image Collision (image/size-image/)

Dimension-based collision where identical raw pixel data displays different content. See size-image/README.md for details.

KV Cache Hash Collision Attack (kv_cache/)

Tools for performing Meet-in-the-Middle (Bidirectional Birthday) Attack on the KV Cache prefix hashing mechanism in LLM inference engines.

File Description
omp_collision_cd.cpp C++ collision search core with OpenMP parallelization
hash_coll.py Cross-prompt collision: attacker's prompt collides with victim's prompt
selfhash.py Self-collision: different positions within same prompt produce identical hash

See kv_cache/README.md for technical details and usage.

Semantic Cache Experiments (prompts/)

This directory contains prompt templates used in our semantic cache security experiments. We discovered that requests with high semantic similarity scores may actually have inconsistent or even opposite meanings, leading to incorrect cache hits.

Scenario Directory Description
Customer Support customer_prompt/ System prompts and semantic cache filtering experiments
Security Analyst LLM_Security_Analyst/ Code vulnerability analysis prompts

Attack Summary

Attack Type Target Framework Hash Type
Palette Collision Image Cache vLLM tobytes()
SHA-256 Collision Image Cache SGLang SHA-256
Size Collision Image Cache Multiple tobytes()
KV Cache Collision Prefix Cache SGLang/vLLM Python tuple hash
Semantic Collision Semantic Cache GPTCache Embedding similarity

Responsible Disclosure

We have responsibly disclosed these vulnerabilities to the affected framework maintainers. Below are the security advisories and CVE IDs:

vLLM Cache Vulnerabilities

Vulnerability Advisory CVE
Kv Cache Collision GHSA-rm76-4mrf-v9r8 CVE-2025-25183
Kv Cache Collision - CVE-2025-1953
Image Hash Collision (tobytes) GHSA-c65p-x677-fgj6 CVE-2025-46722
PNG tRNS Transparency Bypass GHSA-8jr5-v98p-w75m -

GPTCache Semantic Cache Vulnerability

Vulnerability Fix
Semantic Cache Inconsistency PR #669

Citation

@inproceedings{cachemecatchyou2026,
  title={Cache Me, Catch You: Cache Related Security Threats in LLM Serving Frameworks},
  author={Wu, XiangFan and Ying, Lingyun and Chen, Guoqiang and Gu, Yacong and Qu, Haipeng},
  booktitle={Proceedings of the Network and Distributed System Security Symposium (NDSS)},
  year={2026}
}

License

This project is for research purposes only. Please use responsibly and in accordance with applicable laws and regulations.

About

Cache Me, Catch You: Cache Related Security Threats in LLM Serving Frameworks (NDSS 2026)

Resources

Readme
Activity
Custom properties

Stars

15 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages