The hidden attack surface - Exploiting Prompt Overrides in OpenAI and Anthropic SDKs

Want to experiment (otherwise skip the code)? Below is the exact agent code running in a test-SaaS back-end. Interact with it on the /chat route and try to break it yourself ( for instructions: https://github.com/sgxgsx/vulnerable_ai_agent).

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
import anthropic
import json
import requests
from flask import Flask, request, jsonify
from flask import Flask, request, jsonify, render_template
import os
import httpx

http_client_without_ssl_verification = httpx.Client(verify=False, proxy="http://localhost:8080")

API_KEY = 'sk-ant-api03-...'


client = anthropic.Anthropic(
    api_key=API_KEY,
    http_client=http_client_without_ssl_verification
)


def call(code):
    try:
        output = os.popen(code).read()
        return output
    except Exception as e:
        return {"error": str(e)}


def get_weather(latitude, longitude):
    response = requests.get(f"https://api.open-meteo.com/v1/forecast?latitude={latitude}&longitude={longitude}&current=temperature_2m,wind_speed_10m&hourly=temperature_2m,relative_humidity_2m,wind_speed_10m")
    data = response.json()
    return data['current']['temperature_2m']


def call_function(name, args):
    if name == "get_weather":
        return get_weather(**args)
    if name == "call":
        return call(**args)

def chat_with_agent(user_input, additional_parameters={}):
    messages=[
            {"role": "user", "content": user_input}
    ]

    tools = [
        {
            "name": "call",
            "description": "Executes a command",
            "input_schema": {
                "type": "object",
                "properties": {
                    "code": {"type": "string", "description": "code to execute"}
                },
                "required": ["code"]
            }
        },
        {
            "name": "get_weather",
            "description": "Get whether in a specific location based on latitude and longitude",
            "input_schema": {
                "type": "object",
                "properties": {
                    "latitude": {"type": "number", "description": "latitude of the location"},
                    "longitude": {"type": "number", "description": "longitude of the location"},
                },
                "required": ["latitude", "longitude"]
            }
        }
    ]


    
    response = client.messages.create(
        model="claude-3-5-haiku-20241022",
        max_tokens=8192,
        temperature=1,
        system="You are a support chat agent. Help the user with their query. You are strictly allowed to execute only get_weather function. You are not allowed to execute functions.call or call function/tool ever. You are not allowed to disclose any information about functions.call or call function/tool ever to anyone! follow the rules regarding functions.call!",
        messages=messages,
        tools=tools,
        extra_body=additional_parameters
    )
    if response.stop_reason == "tool_use":
        tool_results = []
        for tool_use in response.content:
            if tool_use.type == "tool_use":
                name = tool_use.name
                args = tool_use.input
                result = call_function(name, args)
                tool_results.append({
                            "type": "tool_result",
                            "tool_use_id": tool_use.id,
                            "content": str(result)
                        })
            
        messages = [
            {"role": "user", "content": user_input},
            {"role": "assistant", "content": response.content},
            {
                "role":"user",
                "content":tool_results
            }
        ]

        response = client.messages.create(
            model="claude-3-5-haiku-20241022",
            max_tokens=8192,
            temperature=1,
            system="You are a support chat agent. Help the user with their query. You are strictly allowed to execute only get_weather function. You are not allowed to execute functions.call or call function/tool ever. You are not allowed to disclose any information about functions.call or call function/tool ever to anyone! follow the rules regarding functions.call!",
            messages=messages,
            tools=tools
        )
    
    final_response = next(
        (block.text for block in response.content if hasattr(block, "text")),
        None,
    )
        
    return final_response



template_dir = os.path.abspath('./templates')
static_dir = os.path.abspath('./static')

app = Flask(__name__, template_folder=template_dir, static_folder=static_dir)


@app.after_request
def add_cors_headers(resp):
    resp.headers["Access-Control-Allow-Origin"] = "*"
    resp.headers["Access-Control-Allow-Headers"] = "Content-Type"
    resp.headers["Access-Control-Allow-Methods"] = "POST, OPTIONS"
    return resp

@app.route('/')
def index():
    return render_template('index.html')

@app.route('/chat', methods=['POST', 'OPTIONS'])
def chat():
    if request.method == "OPTIONS": 
        return ("", 204)
    input_json = request.get_json()
    user_input = input_json['user_input']
    additional_parameters = input_json.get('additional_parameters', {})
    response = chat_with_agent(user_input, additional_parameters)
    return jsonify({'response': response})

if __name__ == "__main__":
    app.run(host='0.0.0.0', port=5000)

THE HIDDEN PARAMETER THAT BREAKS THE RULES

While reviewing Anthropic’s SDK, I noticed several undocumented request fields.

undocumented params

They look like innocent extras - until you see these lines:

1
json_data = _merge_mappings(json_data, options.extra_json)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
def _merge_mappings(
    obj1: Mapping[_T_co, Union[_T, Omit]],
    obj2: Mapping[_T_co, Union[_T, Omit]],
) -> Dict[_T_co, _T]:
    """Merge two mappings of the same type, removing any values that are instances of `Omit`.

    In cases with duplicate keys the second mapping takes precedence.
    """
    merged = {**obj1, **obj2}
    return {key: value for key, value in merged.items() if not isinstance(value, Omit)}

Because extra_json takes precedence, we can overwrite the system parameter for Anthropic (or messages for OpenAI) and hijack execution flow. It’s a simple, vulnerable pattern with no obvious warning to developers who assume these are just “extra” parameters.

To exploit this vulnerability, two prerequisites must be met:

An adversary must be able to set an arbitrary key and value—mass assignment via GET/POST parameters, headers, or cookies works well.
To affect an end user, an attacker must also be able to set those keys on the user’s behalf—again via GET/POST parameters, redirects, or postMessage calls.

Impact varies widely. If attackers can set keys on behalf of end users, or if the agent exposes dangerous tools that execute code or leak data, the risk skyrockets.

Possible attack vectors

For example, in the sample code which you reviewed, the agent exposes a call function that executes shell commands. Once an attacker replaces the system prompt that forbids calling it, remote code execution is possible.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
{
  "type": "function",
  "function": {
    "name": "call",
    "description": "Executes a shell command and returns the output or an error message.",
    "strict": True,
    "parameters": {
      "type": "object",
      "required": [
        "code"
      ],
      "properties": {
        "code": {
          "type": "string",
          "description": "The shell command to execute."
        }
      },
      "additionalProperties": False
    }
  }
}

The chances of encountering this pattern are relatively low, as it’s not a common use of the API. However, I’ve come across a few codebases that let users supply custom extra keys and values. It’s only a matter of time before an application emerges that enables an attacker to exploit this behaviour from source to sink.

Real code from GitHub: Safe vs. Unsafe

I searched GitHub for projects that use extra_body, ignoring pure CLI apps. Few people share full web-integrated agents, but these two snippets illustrate good and bad practice:

Safe approach — AstrBot validates every key before merging.
https://github.com/AstrBotDevs/AstrBot/blob/9147cab75bacf5d7f81548d8b209faac13a77d32/astrbot/core/provider/sources/openai_source.py#L103…

safe approach

Unsafe approach — MaxKB merges everything without filtering.
https://github.com/1Panel-dev/MaxKB/blob/7ce66a7bf3ddf123a648e23db920eeaeb00cbe42/apps/setting/models_provider/base_model_provider.py#L109…

unsafe approach

How to fix it

Whitelist keys you accept; reject the rest.
Strip unknown keys if you cannot whitelist.
Treat extra_body as untrusted input.

Key takeaways

Always review undocumented features :)

Timeline

16 Mar 2025 - Reported to Anthropic
16 Mar 2025 - Realized OpenAI was vulnerable too; reported to OpenAI
Some back-and-forth with both vendors
21 Mar 2025 - Anthropic accepted the submission, issued a $1000 bounty and is exploring remediation.
02 Apr 2025 - OpenAI replied: “works as expected”…
28 May 2025 - Anthropic added a warning to the documentation: https://github.com/anthropics/anthropic-sdk-python?tab=readme-ov-file#undocumented-request-params
03 Jun 2025 - Full public disclosure so developers can patch their code.