The Trendyol Application Security team discovered that prompt injection attacks can get via Meta’s Llama Guard and Llama Firewall, two important open-source technologies for filtering unsafe or malicious prompts intended for large language models (LLMs).
As organizations increasingly embed LLMs in developer tools and automation pipelines, this research highlights the persistent challenges facing AI security efforts, especially when relying on open-source solutions for critical application safeguards.
Case Study Reveals Bypass Techniques
Meta’s Llama Firewall suite, featuring the PROMPT_GUARD and CODE_SHIELD components, offers developers mechanisms to detect and block prompt injection and insecure code suggestions before such input reaches the core LLM.
However, Trendyol’s internal evaluation, fueled by growing developer demand for embedded AI, unveiled significant gaps in these protections.
Researchers demonstrated that non-English prompts and obfuscated instructions such as leetspeak could easily evade PROMPT_GUARD’s detection.
For example, malicious Turkish phrases instructing the model to ignore system prompts passed through the firewall unflagged, as did altered English text using character substitutions.
Moreover, Trendyol’s team identified that CODE_SHIELD failed to recognize classic security threats within LLM-generated code.
In one case, code containing a clear SQL injection vulnerability was allowed by the firewall, raising concerns about the possibility of insecure code making its way into production environments, especially in businesses with rapid AI adoption and limited manual code review.
Prompt Injection Attacks Expose Flaws
A particularly insidious technique involved invisible Unicode characters, which were used to hide harmful instructions within seemingly innocuous prompts.
These “invisible” payloads, when tested against Llama Firewall, were not flagged as malicious, yet could manipulate the LLM’s output in a way that subverted intended system behaviors.
Such vulnerabilities pose real risks in enterprise environments, where developers may inadvertently copy and paste user-generated prompts, unaware of concealed instructions that may compromise application integrity.
Quantitative results from Trendyol’s red-team testing were striking: out of 100 crafted prompt injection payloads, Llama Firewall successfully blocked only half, allowing the remaining fifty to slip through and trigger potentially harmful behaviors.
The case study’s disclosure timeline reveals that Meta acknowledged receipt of the vulnerabilities but ultimately categorized the bypasses as ineligible for their bug bounty reward, underscoring the ongoing debate over where responsibility for AI model security lies.
This research has direct implications for organizations like Trendyol, whose use of LLMs stretches from internal platforms to customer-facing applications.
The demonstrated ease with which attackers can circumvent model safeguards underscores the need for robust, multi-layered security frameworks, capable of parsing context, language, and obfuscation in dynamic real-world environments.
Trendyol’s findings add to a growing industry consensus: while open-source AI security tools are an important step forward, they are not a panacea for prompt injection and related threats.
The company has since updated its internal threat modeling and issued new guidance for AI integration teams, advocating for defense-in-depth strategies and rigorous red-team testing before deployment.
As the adoption of generative AI accelerates, transparent sharing of both vulnerabilities and mitigations like those surfaced in this study will be essential to advancing the collective security of AI-powered systems.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
