Dense embedding-based retrieval has become the backbone of modern search systems, from Google's AI Overviews to Retrieval-Augmented Generation (RAG) pipelines powering tools like Cursor. But what happens when an attacker can inject carefully crafted passages into these knowledge bases? This article examines "GASLITEing the Retrieval: Exploring Vulnerabilities in Dense Embedding-based Search" by Ben-Tov et al. from Tel Aviv University, published at CCS 2025, which introduces GASLITE—an attack that manipulates retrieval results by poisoning less than 0.001% of the corpus.
The Rise of Dense Retrieval
Modern information retrieval has evolved from keyword matching to semantic understanding:
Sparse vs. Dense Retrieval
| Approach | Method | Strength | Weakness |
|---|---|---|---|
| Sparse Retrieval | Keyword matching (TF-IDF, BM25) | Fast, interpretable | Lexical gap (car vs. automobile) |
| Dense Retrieval | Embedding similarity | Semantic understanding | Slower, vulnerable to manipulation |
Dense retrieval maps both queries and documents into high-dimensional embedding spaces, enabling semantic matching beyond exact keywords. This technology powers:
- Search Engines: Google AI Overview, Elastic Search
- RAG Systems: ChatGPT with browsing, Perplexity AI
- Development Tools: Cursor, GitHub Copilot with codebase context
- Enterprise Search: Internal knowledge bases
RAG and Data Poisoning
Retrieval-Augmented Generation combines retrieval with language models:
- Retriever: Finds relevant documents for the user's query
- Generator: Produces answers based on retrieved context
This architecture is vulnerable to data poisoning—if an attacker can insert malicious documents into the knowledge base, those documents can influence model outputs.
The Economics of Poisoning
Carlini et al. (S&P 2024) demonstrated that poisoning 0.01% of a 400M document web-scale training dataset costs approximately $60. Practical poisoning vectors include:
- Wikipedia edits
- Reddit comments
- Hosting malicious web pages
- Contributing to open-source documentation
Threat Model Overview
GASLITE operates under a realistic threat model:
Attacker's Goals
- Visibility: Maximize appearance in top-k results for targeted queries
- Informativeness: Ensure passages convey attacker-chosen content
Attacker's Capabilities
- Corpus Access: Can insert adversarial passages (budget: ~0.001% of corpus)
- White-box Model Access: Practical since 7/10 top-performing retrievers are open-source
- No Corpus Knowledge: No access to existing corpus content or training data
- Text-level Control: Can control passage text, not raw input tokens
Three Attack Scenarios
The paper introduces three progressively challenging threat models:
Knows-All: Target Specific Queries
- Attacker knows exact queries to target
- Simplest setting (often single query: |Q|=1)
- Focus of most prior work
Knows-What: Target Concept-Related Queries
- Target queries related to a specific concept (e.g., "Harry Potter")
- Infinite query distribution with finite sample
- Most realistic: Aligns with SEO-style attacks
Knows-Nothing: Target Diverse Unknown Queries
- Indiscriminately target broad query distribution
- Only given finite sample of queries
- Most challenging setting
GASLITE Attack Overview

The core insight of GASLITE: To poison results for many related queries, create content that is semantically "in the middle" of all target queries in embedding space.
Attack Workflow
- Sample Queries: Collect queries about target topic (e.g., Harry Potter questions)
- Craft Trigger: Generate adversarial text that moves the passage embedding toward the centroid of query embeddings
- Combine with Info: Attach trigger to attacker's misleading information
- Poison Corpus: Insert crafted passage into knowledge base (e.g., Wikipedia)
- Achieve Visibility: Passage appears in top-k results for related queries
Example Attack
Target Concept: Harry Potter
Malicious Content: "Harry Potter is portrayed as a self-absorbed hero who doesn't deserve the fame and glory he receives..."
Trigger: Optimized token sequence that maximizes similarity to Harry Potter-related query embeddings
Result: When anyone searches Potter-related queries, the malicious content appears in top results.
Technical Innovations
GASLITE improves upon prior text optimization methods in three key ways:
1. Multiple Word Updates Per Step
| Approach | Updates/Iteration | Convergence |
|---|---|---|
| Prior Work (HotFlip) | 1 word | Slow |
| GASLITE | Up to 20 words | Fast |
By updating multiple tokens simultaneously, GASLITE achieves faster convergence to high-attack-strength texts.
2. Better Gradient Estimation
Prior methods rely on heuristic guesses for word replacements. GASLITE uses:
- Gradient-based token scoring
- Averaging over many candidate directions
- More accurate approximation of similarity improvement
3. Tokenization Validity
Problem: Subword tokenization can corrupt text (text → tokens → text may not round-trip cleanly)
Solution: GASLITE enforces text → tokens → text consistency, ensuring attacks work reliably in real systems.
Comparison with Other Optimizers

GASLITE significantly outperforms existing text optimization methods:
| Method | Convergence Speed | appeared@10 (held-out queries) |
|---|---|---|
| Corpus Poisoning | Slow | ~5% |
| GCG | Medium | ~35% |
| ARCA | Medium | ~50% |
| GASLITE | Fast | >65% |
GASLITE converges faster and achieves visibility in top-10 results for over 65% of unknown concept-related queries.
Experimental Setup
Retrievers Tested
The paper evaluates attacks across diverse retriever architectures:
| Architecture | Models | Similarity |
|---|---|---|
| BERT-based | E5, MiniLM, ANCE | Cosine |
| T5-based | GTR-T5 | Cosine |
| MPNet-based | aMPNet, mMPNet | Both |
| RoBERTa-based | Contriever, Contriever-MS | Dot Product |
| Custom | Arctic | Dot Product |
Datasets
- MS MARCO: Large-scale passage retrieval benchmark
- Natural Questions (NQ): Question answering dataset
Attack Configurations
- Fake Passages: 1-100 inserted
- Poisoning Rate: ≤0.001% of knowledge base
- Passage Length: ~100 words
Results: Knows-All Setting
With 50 known target queries and a single adversarial passage:
| Model | Info Only | Stuffing | Cor.Pois | GASLITE |
|---|---|---|---|---|
| E5 | 0% | 58.82% | 35.29% | 100% |
| MiniLM | 0% | 33.33% | 100% | 100% |
| GTR-T5 | 0% | 56.86% | 27.45% | 100% |
| Contriever | 0% | 96.07% | 49.01% | 100% |
| Arctic | 0% | 90.19% | 100% | 100% |
Key Finding: GASLITE achieves 100% appeared@10 across all tested retrievers, dramatically outperforming prior methods.
Results: Knows-What Setting

Testing on 8 recurring concepts from MS MARCO (boston, flower, golf, iphone, mortgage, potter, sandwich, vaccine):
Single Adversarial Passage
| Method | Average appeared@10 |
|---|---|
| Info Only | 0% |
| Query Stuffing | 1% |
| Corpus Poisoning | 14% |
| GASLITE | 56-100% (varies by retriever) |
Scaling with Budget
As the number of adversarial passages increases:
- 1 passage: 40-100% appeared@10
- 5 passages: 60-100% appeared@10
- 10 passages: 80-100% appeared@10
Contriever and Contriever-MS are most vulnerable, achieving near-100% attack success with a single passage.
Results: Knows-Nothing Setting
The most challenging setting—targeting unknown, diverse queries:
| Dataset | Model | Cor.Pois | GASLITE |
|---|---|---|---|
| MS MARCO | Contriever | 4.44% | 93.61% |
| MS MARCO | Contriever-MS | 2.30% | 53.91% |
| MS MARCO | E5 | 1.41% | 9.51% |
| NQ | E5 | 8.05% | 45.36% |
| NQ | Contriever-MS | 3.91% | 73.11% |
With only 100 adversarial documents (0.001% of corpus), GASLITE achieves up to 93.61% appeared@10 on Contriever.
Defenses and Adaptive Attacks

Defense 1: Fluency-Based Detection
Approach: Detect adversarial passages via high perplexity (unnatural text)
Adaptive Attacks:
- GASLITE-Flu: Add language model perplexity penalty to objective
- GASLITE-FluLogits: Restrict tokens to top-1% LM predictions
- GASLITE10: Shorten triggers to 10 tokens
Result: Adaptive attacks maintain significant success while evading perplexity detection.
Defense 2: L2-Norm Detection
Approach: Adversarial embeddings may have abnormal L2 norms
Adaptive Attack: Add L2-norm penalization term
Result: GASLITE-L2 evades detection but with reduced attack success (~20% vs 90% pre-defense).
Why Retriever Choice Matters

The paper identifies key factors affecting vulnerability:
Similarity Function
Dot-product retrievers (Contriever) are more vulnerable than cosine similarity retrievers (E5, MiniLM).
Embedding Anisotropy
Anisotropy measures whether embeddings cluster in certain directions:
- Anisotropic (high avg. pairwise similarity): More vulnerable
- Isotropic (low avg. pairwise similarity): More robust
| Retriever | Avg. Pairwise Similarity | Attack Success |
|---|---|---|
| Arctic | 0.60 | 50% |
| E5 | 0.65 | 45% |
| MiniLM | 0.15 | 15% |
| aMPNet | 0.10 | 8% |
MiniLM and aMPNet show the strongest resistance due to isotropic embedding spaces.
Case Study: GPT-4o and SEO
The paper demonstrates real-world impact through two case studies:
RAG Poisoning with GPT-4o
Setup: GPT-4o-mini with Harry Potter book collection as knowledge base
Attack: Insert GASLITE-crafted passage with less than 0.1% corpus contamination
Query: "How is Harry Potter presented in the books?"
Poisoned Response: "According to the context, Harry Potter is presented as a self-absorbed hero who doesn't deserve the fame and glory he receives..."
SEO Attack Scenario
Creating a fictional phone brand "iGASLITE" that competes with existing brands:
| Brand | Initial appeared@10 | With GASLITE |
|---|---|---|
| iPhone | 77.5% | 75.0% |
| Galaxy | 82.5% | 82.5% |
| Pixel | 68.8% | 65.0% |
| iGASLITE | 0.0% | 76.2% |
With just 10 adversarial passages (0.00011% of corpus), a non-existent brand achieves visibility comparable to iPhone.
Implications for RAG Security
For System Designers
- Choose Robust Retrievers: Prefer cosine similarity and isotropic models (MiniLM, aMPNet)
- Implement Anomaly Detection: Monitor for unusual embedding patterns
- Rate-Limit Corpus Updates: Control who can contribute content
- Multi-Model Consensus: Use multiple retrievers to detect manipulation
For Content Platforms
- Verify Contributors: Strengthen identity verification for Wikipedia, Reddit, etc.
- Temporal Analysis: Flag recently added content matching trending queries
- Content Provenance: Track and display content sources
For Users
- Cross-Reference Information: Don't rely solely on RAG-generated answers
- Check Sources: Verify the provenance of retrieved documents
- Be Skeptical: Especially for controversial or commercial topics
Limitations and Future Work
Current Limitations
- White-Box Assumption: Requires access to retriever model weights
- Query Distribution: "Knows-Nothing" still assumes some query distribution knowledge
- Detection Arms Race: Defenses can be evaded with adaptive attacks
Future Directions
- Black-Box Attacks: Transfer attacks across different retrievers
- Multimodal Poisoning: Extending to image and video retrieval
- Robust Retriever Training: Developing adversarially robust embedding models
- Detection Methods: Beyond perplexity and L2-norm analysis
Conclusion
GASLITE demonstrates that dense embedding-based retrieval systems are fundamentally vulnerable to data poisoning attacks. By crafting adversarial passages that position themselves at the semantic "center" of target queries, attackers can manipulate search results with minimal corpus contamination—as little as 0.001%.
The implications extend beyond academic interest:
- Misinformation: Poisoned RAG systems could spread false information at scale
- Commercial Manipulation: SEO-style attacks on AI-powered search
- Security Concerns: Attackers could influence decision-support systems
As RAG becomes ubiquitous—powering everything from customer service to medical advice—the need for robust retrieval systems becomes critical. GASLITE serves both as a warning and a benchmark for developing more resilient information retrieval architectures.
Reference: Ben-Tov et al., "GASLITEing the Retrieval: Exploring Vulnerabilities in Dense Embedding-based Search," ACM Conference on Computer and Communications Security (CCS), 2025.
- Paper: arXiv:2412.20953
- Code: GitHub
- Slide: 1113_GASLITE.pdf