AdversarialCoT: Single-Document Retrieval Poisoning for LLM Reasoning
This work exposes a critical security risk in RAG systems for LLM reasoning, showing that a single poisoned document can substantially reduce reasoning accuracy, which is important for developers of robust LLM pipelines.
AdversarialCoT introduces a query-specific attack that poisons a single document in a retrieval corpus to degrade LLM reasoning accuracy in RAG systems, revealing significant vulnerabilities with minimal attacker effort.
Retrieval-augmented generation (RAG) enhances large language model (LLM) reasoning by retrieving external documents, but also opens up new attack surfaces. We study knowledge-base poisoning attacks in RAG, where an attacker injects malicious content into the retrieval corpus, which is then naturally surfaced by the retriever and consumed by the LLM during reasoning. Unlike prior work that floods the corpus with poisoned documents, we propose AdversarialCoT, a query-specific attack that poisons only a single document in the corpus. AdversarialCoT first extracts the target LLM's reasoning framework to guide the construction of an initial adversarial chain-of-thought (CoT). The adversarial document is iteratively refined through interactions with the LLM, progressively exposing and exploiting critical reasoning vulnerabilities. Experiments on benchmark LLMs show that a single adversarial document can significantly degrade reasoning accuracy, revealing subtle yet impactful weaknesses. This study exposes security risks in RAG systems and provides actionable insights for designing more robust LLM reasoning pipelines.