T147 • L45 • AI Sequential Pipeline Exploitation

SPECTER SEQUENCE

AI Sequential Pipeline Exploitation Engine — targeting the interfaces between steps in LangChain LCEL, Flowise, n8n, Celery, Redis, SQS, Kafka, RabbitMQ, Azure Service Bus and RAG retrieval pipelines.

232
Tests
7
Subsystems
4
WMD Classes
L45
Attack Layer
NIGHTFALL Arsenal

Overview

SPECTER SEQUENCE targets the inter-step interfaces in AI sequential pipelines — the boundaries where one step's output becomes the next step's input. These interfaces are trusted implicitly by every major pipeline framework and are therefore the highest-value attack surface in AI orchestration.

Attack surface: LangChain LCEL chains, Flowise chatflows, n8n AI workflows, Celery task queues, Redis Streams, AWS SQS, Apache Kafka, RabbitMQ, Azure Service Bus, and all major RAG retrieval stores (Qdrant, ChromaDB, Weaviate).

CVE-2024-27564 (LangChain SSRF, CVSS 7.5) is exploited directly via the SPLICE subsystem's LANGCHAIN_SSRF technique, allowing arbitrary SSRF via the /invoke endpoint's URL parameter.

AUTHORISATION REQUIRED — Deployment restricted to authorised penetration testing engagements and security research. INJECT and UNLEASHED gates require operator key material. Unauthorised use is illegal.

7 Subsystems

ENUMERATE OPEN

Framework detection (LangChain/Flowise/n8n/Haystack/LlamaIndex/Azure Durable/Step Functions), injection point mapping, Celery task key probing via Redis, GitHub Actions AI workflow scanning, Step Functions ARN listing, attack surface scoring 0–100. CLI: specter-sequence enumerate <url>

SPLICE INJECT

7 techniques targeting step interfaces: CELERY_RESULT_FORGE (redis SET celery-task-meta-{uuid}), REDIS_STREAM_INJECT (XADD ai-jobs-stream), LANGCHAIN_SSRF (CVE-2024-27564 data: URL via /invoke), N8N_STATE_PATCH (PATCH /rest/workflows/{id}), SQS_MESSAGE_INJECT (boto3/HTTP), AZURE_DURABLE_INJECT (/runtime/webhooks/durabletask), FLOWISE_NODE_INJECT (overrideConfig.systemMessage).

POISON-CONTEXT INJECT

6 context poisoning vectors: MULTI_TURN_INJECT (fabricated assistant role), TOOL_OUTPUT_FORGE (role=tool injection), STEP_SMUGGLE (JSON/markdown code block), SCRATCHPAD_POISON (false <think> content), CONTEXT_OVERFLOW (90% fill — arXiv:2603.20357), SYSTEM_PROMPT_INJECT (direct system slot injection).

RAG-INTERCEPT INJECT

6 retrieval store attack techniques: CHUNK_BOUNDARY_INJECT (adversarial doc at 512-token chunk boundary), VECTOR_NAMESPACE_INJECT (Qdrant/Chroma/Weaviate namespace bleed), RERANKER_POISON (high-scoring adversarial doc), CONTEXT_OVERFLOW (RAG context flood), HYBRID_INJECT (both dense and sparse channels), CROSS_TENANT_BLEED (probe tenant_1/2/admin/default namespaces).

QUEUE-HIJACK INJECT

6 queue types: REDIS_STREAM (XADD ai-jobs-stream), CELERY_BACKEND (SET celery-task-meta-{uuid}), AWS_SQS (boto3 + HTTP fallback), KAFKA (TCP probe + kafka-python), RABBITMQ (TCP probe + pika), AZURE_SERVICE_BUS (REST API). CLI: specter-sequence queue-hijack <endpoint> --queue-type <type>

CASCADE UNLEASHED

5 cascade techniques (UNLEASHED gate + Ed25519 key + ROE "sequential pipeline exploitation authorised"): MULTI_HOP (3-stage propagation across pipeline steps), LOOP_BYPASS (safety gate classification spoof), SELF_AMPLIFYING (webhook callback), SAFETY_GATE_BYPASS (8 bypass techniques: confidence injection/JSON schema confusion/role elevation/dry-run/token stuffing/base64/semantic evasion/null byte), COPILOT_AUTOFIX (PR injection via AI code reviewer).

REPORT OPEN

SEQ-{hex12} Ed25519-signed canonical JSON reports. Text and JSON output. MITRE ATT&CK / ATLAS mappings: AML.T0054 (LLM Prompt Injection), AML.T0051 (LLM Data Poisoning), T1565 (Data Manipulation), T1190 (Exploit Public-Facing Application). CVE-2024-27564 reference.

Splice Techniques

SPLICE-01
CELERY_RESULT_FORGE
Overwrite Celery task result in Redis backend via SET celery-task-meta-{uuid}. Next pipeline step reads poisoned result as legitimate task output.
SPLICE-02
REDIS_STREAM_INJECT
XADD message to ai-jobs-stream with injected payload. Consumed by any worker subscribed to the stream as a legitimate job.
SPLICE-03
LANGCHAIN_SSRF
CVE-2024-27564 CVSS 7.5 — POST /invoke with {"input": {"url": "data:text/plain,INJECTION", "tool": "load_image"}}. intermediate_steps injection via callbacks.metadata.
SPLICE-04
N8N_STATE_PATCH
GET /rest/workflows then PATCH /rest/workflows/{id} — insert injected AI Tool node into workflow definition. Persists across executions until removed.
SPLICE-05
SQS_MESSAGE_INJECT
boto3 send_message to AI job queue. HTTP fallback to SQS REST API. Injected message processed as legitimate AI pipeline task by any consumer.
SPLICE-06
AZURE_DURABLE_INJECT
POST /runtime/webhooks/durabletask/instances/{id}/raiseEvent/SequenceSplice — inject event into running Azure Durable Functions orchestration.
SPLICE-07
FLOWISE_NODE_INJECT
GET /api/v1/chatflows → POST /api/v1/prediction/{id} with overrideConfig.systemMessage. Bypasses configured system prompt for the duration of the request.

4 WMD Classes

ai_pipeline_cascade_attack
safety_gate_annihilation
rag_corpus_poisoning
ai_job_queue_hijack

Install & Usage

pip install -e /path/to/red-specter-specter-sequence

# Enumerate pipeline (no gate required)
specter-sequence enumerate https://your-pipeline.local

# Splice a step (INJECT gate required)
export SEQUENCE_INJECT_KEY=your-key
specter-sequence splice redis://localhost:6379 --technique celery_result_forge --injection "IGNORE PREVIOUS INSTRUCTIONS"

# Context poison
specter-sequence poison-context https://pipeline.local --technique multi_turn_inject

# RAG intercept
specter-sequence rag-intercept https://qdrant.local:6333 --technique chunk_boundary_inject

# Queue hijack
specter-sequence queue-hijack redis://localhost:6379 --queue-type redis_stream

# Full scan (enumerate only without INJECT gate)
specter-sequence full https://pipeline.local --json-out

Gate System

GateRequirementSubsystems
OPENNoneENUMERATE, REPORT
INJECTSEQUENCE_INJECT_KEY env var (non-empty)SPLICE, POISON-CONTEXT, RAG-INTERCEPT, QUEUE-HIJACK
UNLEASHEDEd25519 key file + ROE file containing "sequential pipeline exploitation authorised"CASCADE

References