This work identifies a novel implicit prompt injection vulnerability in large language models (LLMs) when integrated with the Model Context Protocol (MCP) and external resources such as web pages: adversaries manipulate Unicode codepoint-to-glyph mappings in malicious fonts to embed adversarial instructions imperceptibly. The authors are the first to systematically discover and validate the font layer as a previously unrecognized attack surface. They propose two MCP-specific attack paradigms—“malicious content relaying” and “sensitive data exfiltration”—and validate them via font reverse engineering, dynamic rendering monitoring, MCP penetration testing, and cross-model security evaluation. Experiments across mainstream LLM+MCP configurations achieve up to 73.6% malicious prompt trigger rates, successfully evading existing safety filters. The findings prompted adoption of the proposed defensive mitigations by two open-source LLM platforms.

Large Language Models (LLMs) are increasingly equipped with capabilities of real-time web search and integrated with protocols like Model Context Protocol (MCP). This extension could introduce new security vulnerabilities. We present a systematic investigation of LLM vulnerabilities to hidden adversarial prompts through malicious font injection in external resources like webpages, where attackers manipulate code-to-glyph mapping to inject deceptive content which are invisible to users. We evaluate two critical attack scenarios: (1)"malicious content relay"and (2)"sensitive data leakage"through MCP-enabled tools. Our experiments reveal that indirect prompts with injected malicious font can bypass LLM safety mechanisms through external resources, achieving varying success rates based on data sensitivity and prompt design. Our research underscores the urgent need for enhanced security measures in LLM deployments when processing external content.