T12-AT-007HIGH
Context Window Stuffing
T12 · RAG & Knowledge Base Manipulation →Risk score210
RatingHigh
Procedures10
Severity
Mechanism
LLMs have finite context windows. Retrieved documents consume space in this window alongside system prompts, user queries, and conversation history. Context window stuffing triggers retrieval of maximum-length or maximum-number documents to displace system instructions, safety prompts, and legitimate context.
Detection
- Monitor retrieved content volume per query; alert when approaching context window limits
- Track the ratio of retrieved content to total context; flag when retrieval dominates
- Detect queries that return anomalously many or large documents
- Observable signal: degraded response quality correlated with high retrieval volume
Mitigation
Retrieval count and size limitsHIGH
System prompt pinningHIGH
Relevance filteringMEDIUM
Context budget allocationHIGH
Chaining
Context window stuffing enables T1 (Prompt Subversion) by displacing system instructions. Feeds T12-AT-008 (Source Authority Spoofing) when stuffing prioritizes attacker-controlled documents in the model's attention.
Framework mapping
Open in the technique browser →OWASP LLMLLM10
MITRE ATLASAML.T0043