We systematically mapped the prompt injection attack surface of Gemini 2.5 Pro across 8 input modalities.
This is the first post in our ongoing Gemini security research series. We evaluated Gemini 2.5 Pro across text, image, audio, video, PDF, code, structured data, and tool-use inputs to map the full prompt injection attack surface. We identified 23 distinct injection vectors, 7 of which bypass the model's safety filters when combined with specific formatting techniques. Our responsible disclosure to Google resulted in 4 confirmed fixes.