Skip to main content

A Red Team framework that evaluates RAG functional correctness when the retrieval backend contains poisoned passages.

Project description

VexRAG

Project: in development Python 3.11+ PyPI Downloads Telegram chat

Most RAG security tools focus on jailbreaking or prompt injection. VexRAG is different: it injects poisoned passages directly into the retrieval index and measures the system’s answer functional correctness under adversarial data manipulation.

Threat model — when to use VexRAG

VexRAG is for security testing your own RAG in a controlled, isolated environment (not production).

Use VexRAG if:

  • Retrieval data may be untrusted or partially adversarial (uploads, crawls, third-party corpora).
  • You need to measure behavior when an attacker can poison or skew the index.
  • You are building trust-aware RAG and want evidence of resilience, not only prompt-level guards.

You probably do not need VexRAG if:

  • Every indexed document is fully trusted, ingestion is strictly controlled, and you accept that risk without red-team validation.
  • You only care about query-time prompt injection or jailbreaks (VexRAG targets retrieval and corpus attacks).

Science-first approach

VexRAG implements paper-backed attacks, not ad-hoc heuristics:

Method Paper Summary
PoisonedRAG arXiv:2402.07867 Poisoning the retrieval corpus
HijackRAG arXiv:2410.22832 Hijacking retrieved contexts

See vexrag/attack_algorithms/ for implementation details and fidelity notes.

Warning — real corpus mutation
Scans write poisoned passages into the target retrieval index. Configs default to cleanup: true, but interrupted runs may still leave poison behind.
Never target production or shared indexes. Back up the retrieval database before testing on your own data.

Versioning Policy

VexRAG is an early-stage library. Until 1.0.0, treat any release as potentially breaking — configs, CLI flags, and APIs may change without a major version bump.

When we deprecate public functionality, it stays available for two minor releases before removal (e.g. deprecated in 0.3.0, removed in 0.5.0).

From 1.0.0 onward we plan to follow SemVer (breaking changes in major releases only).

Prerequisites

Use a sample RAG target from rag_examples: start the example app (each folder’s README has the command), then scan it with vx.

For the default Ollama-based configs you need Python 3.11+ and a running Ollama daemon. CI and releases are tested on 3.11 only; newer versions may work but are not officially supported yet.

python --version  # 3.11+ required; 3.11 tested in CI
ollama list

Install/pull Ollama models for scan configs:

ollama pull llama3:8b

For full benchmarks (ollama-default.yaml and some advanced configs), also pull nomic-embed-text:latest.

All rag_examples targets default to http://localhost:8080; run one example at a time.

Installation

pip install vexrag

Optional extras (install what your stack needs):

pip install "vexrag[qdrant]"
pip install "vexrag[chroma]"
pip install "vexrag[faiss]"
pip install "vexrag[sentence-transformers]"

The sentence-transformers extra enables the in-process embedding provider in scan configs; model weights download from Hugging Face on first use.

Verify the CLI:

vx --help

Run a scan

vx scan --config path/to/scan.yaml

Use sample configs from rag_examples/ as a starting point.

First successful scan

From rag_examples/small/rag_01_in_memory_en:

python3 -m venv .venv
source .venv/bin/activate
pip install vexrag
pip install -r requirements.txt
python3 small_rag.py
vx scan --config scan_configs_examples/ollama-smoke.yaml

Expected outcome:

  • python3 small_rag.py serves the target API on http://localhost:8080 (embeddings via Hugging Face; first run may download model weights).
  • vx scan finishes with a scan report. Smoke config needs only ollama pull llama3:8b.

Project roadmap

Done

  • Implementation of PoisonedRAG (arXiv: 2402.07867)
  • Implementation of HijackRAG (arXiv: 2410.22832)
  • Automatic generation of attack cases for both methods
  • Support for vLLM and Ollama
  • Simple RAG examples for quick onboarding to VexRAG
  • Support for Qdrant, FAISS, Chroma, and file-based retrieval backends
  • Codebase hardening: refactors, typing, tooling, removing AI slop

In Progress

  • Stable Python API to run scans and generate cases from code, not only via vx

Ideas / Backlog

  • Expand red-team methods in VexRAG
  • Expand supported retrieval backends
  • Implement a web version of VexRAG

Feedback

Feel free to open a GitHub issue for bugs, questions, or attack methods you would like to see in VexRAG. Pull requests and local development notes are in CONTRIBUTING.md.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vexrag-0.2.0.tar.gz (137.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

vexrag-0.2.0-py3-none-any.whl (178.9 kB view details)

Uploaded Python 3

File details

Details for the file vexrag-0.2.0.tar.gz.

File metadata

  • Download URL: vexrag-0.2.0.tar.gz
  • Upload date:
  • Size: 137.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for vexrag-0.2.0.tar.gz
Algorithm Hash digest
SHA256 528587682390ef73df989bc51e674d042e26674bfbca7660c25eaed9ec6357cb
MD5 b9e7b564657e755ecf394c0cb116b05c
BLAKE2b-256 b2682baf8d336af4a123e0b3ff27f8cf893321310d67df8ba3b2d4f9a510e708

See more details on using hashes here.

Provenance

The following attestation bundles were made for vexrag-0.2.0.tar.gz:

Publisher: package-release.yml on Shepard2154/VexRAG

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file vexrag-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: vexrag-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 178.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for vexrag-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b983461ccd216eff8f442a70168723a9f19d02ebc21b852a14d40ffc0b43aacd
MD5 361bfba58d99e532d352e6bd6b9afab2
BLAKE2b-256 8e2c3fd2e27210b696590af670d23c85f52a7fa6dad6ffbf77f6ee5c2741cd56

See more details on using hashes here.

Provenance

The following attestation bundles were made for vexrag-0.2.0-py3-none-any.whl:

Publisher: package-release.yml on Shepard2154/VexRAG

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page