@inproceedings{liang-etal-2025-saferag,
    title = "{S}afe{RAG}: Benchmarking Security in Retrieval-Augmented Generation of Large Language Model",
    author = "Liang, Xun  and
      Niu, Simin  and
      Li, Zhiyu  and
      Zhang, Sensen  and
      Wang, Hanyu  and
      Xiong, Feiyu  and
      Fan, Zhaoxin  and
      Tang, Bo  and
      Zhao, Jihao  and
      Yang, Jiawei  and
      Song, Shichao  and
      Wang, Mengwei",
    editor = "Che, Wanxiang  and
      Nabende, Joyce  and
      Shutova, Ekaterina  and
      Pilehvar, Mohammad Taher",
    booktitle = "Proceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers)",
    month = jul,
    year = "2025",
    address = "Vienna, Austria",
    publisher = "Association for Computational Linguistics",
    url = "https://preview.aclanthology.org/ingestion-acl-25/2025.acl-long.230/",
    pages = "4609--4631",
    ISBN = "979-8-89176-251-0",
    abstract = "The indexing-retrieval-generation paradigm of retrieval-augmented generation (RAG) has been highly successful in solving knowledge-intensive tasks by integrating external knowledge into large language models (LLMs). However, the incorporation of external and unverified knowledge increases the vulnerability of LLMs because attackers can perform attack tasks by manipulating knowledge. In this paper, we introduce a benchmark named SafeRAG designed to evaluate the RAG security. First, we classify attack tasks into silver noise, inter-context conflict, soft ad, and white Denial-of-Service. Next, we construct RAG security evaluation dataset (i.e., SafeRAG dataset) primarily manually for each task. We then utilize the SafeRAG dataset to simulate various attack scenarios that RAG may encounter. Experiments conducted on 14 representative RAG components demonstrate that RAG exhibits significant vulnerability to all attack tasks and even the most apparent attack task can easily bypass existing retrievers, filters, or advanced LLMs, resulting in the degradation of RAG service quality. Code is available at: https://github.com/IAAR-Shanghai/SafeRAG."
}