Safe to Check, Unsafe to Use: Relinking at the Compression Boundary of LLM Agents

Researchers have identified a critical vulnerability called "relinking" in LLM agents that use compression to handle long contexts. By splitting malicious instructions into benign fragments distributed across text, attackers can bypass security filters that inspect uncompressed prompts, as the compression process reconstructs the complete malicious instruction. Existing defenses fail to catch this attack, though a new KBRA defense eliminates the risk.

The relinking vulnerability exposes a fundamental security gap in the growing architecture of LLM-based agents that employ summarization-based prompt compression. As AI systems increasingly handle longer contexts by compressing distributed information, a dangerous asymmetry emerges: security filters operate on pre-compression input while the backend LLM acts on newly generated summaries. This creates a confused deputy scenario where the compressor unwittingly reconstructs complete malicious instructions from innocuous fragments. The attack succeeds because transformer attention mechanisms make separated fragments jointly available during processing, pre-training has encoded sufficient semantic compatibility between fragments, and post-training optimizes for compact, backend-actionable summaries. Unlike traditional prompt injection attacks that require explicit malicious payloads in source text, relinking exploits the compression process itself as the attack vector. The research demonstrates 86.9% success rates across four benchmarks using an automated tool called Relink, which splits payloads into benign fragments distributed strategically throughout source material. The finding carries significant implications for production LLM agent systems, which are moving toward compression techniques to handle real-world scale challenges. Current defenses—including guardrails and input filtering—prove ineffective because they operate at the wrong security boundary. The proposed KBRA defense achieves complete mitigation, but its adoption requires architectural changes. As AI agents become more autonomous and handle higher-stakes tasks, relinking represents an escalating concern for developers deploying long-context systems without proper understanding of compression-induced vulnerabilities.

• →Relinking attacks bypass security filters by splitting malicious instructions into benign fragments that are reconstructed during prompt compression.
• →The vulnerability arises from fundamental properties of transformer attention and language model pre-training, not implementation flaws.
• →Existing security measures fail to detect relinking, achieving only 0.0% to 17.0% defense rates across benchmarks.
• →The KBRA defense eliminates relinking but requires architectural modifications to LLM agent systems.
• →This vulnerability threatens production systems using compression for long-context handling, creating a critical security boundary issue.