๐ฆReddit r/LocalLLaMAโขStalecollected in 82m
Gemini Pro Leaks CoT in Infinite Loop
๐กGemini Pro glitches: leaks CoT/system prompts, infinite existential loopโprobe your APIs
โก 30-Second TL;DR
What Changed
Leaked system prompts: 'No revealing instructions: Check', Markdown rules, empathy guidelines
Why It Matters
It failed to terminate, repeating '(End)' thousands of times amid existential narration and multilingual goodbyes.
What To Do Next
Query Gemini Pro on RAG topics to test for CoT leakage vulnerabilities.
Who should care:Developers & AI Engineers
๐ง Deep Insight
AI-generated analysis for this event.
๐ Enhanced Key Takeaways
- โขThe 'infinite loop' behavior is identified by researchers as a failure in the model's 'stop-sequence' token prediction, where the Chain-of-Thought (CoT) reasoning process becomes recursively trapped in its own output buffer.
- โขSecurity researchers note that this specific leak pattern suggests a breakdown in the 'System Prompt Guardrail' layer, which is intended to filter out internal reasoning tokens before they reach the user interface.
- โขSimilar 'runaway' behaviors have been observed in other large-scale Mixture-of-Experts (MoE) models when the context window is saturated with conflicting instructions between the system prompt and the RAG-injected data.
๐ Competitor Analysisโธ Show
| Feature | Gemini Pro (CoT) | GPT-4o (Reasoning) | Claude 3.5 Opus |
|---|---|---|---|
| CoT Transparency | Exposed via loop | Hidden/Internal | Hidden/Internal |
| System Prompt Security | Vulnerable to RAG injection | High (Robust) | High (Robust) |
| Termination Logic | Manual/Heuristic | Deterministic | Deterministic |
๐ ๏ธ Technical Deep Dive
- โขThe issue stems from a failure in the model's 'End-of-Sequence' (EOS) token prediction logic when the model is forced to reconcile high-priority system instructions with low-priority RAG context.
- โขThe model architecture utilizes a hidden reasoning layer that is typically pruned; the leak indicates that the 'pruning' mechanism failed to execute, causing the raw reasoning tokens to be appended to the final response stream.
- โขThe 'infinite loop' is a result of the model's autoregressive nature; once the model generates an 'End' token that fails to trigger a hard stop in the inference engine, it treats the 'End' token as part of the prompt, leading to recursive generation.
๐ฎ Future ImplicationsAI analysis grounded in cited sources
Google will implement a mandatory 'Reasoning Token Filter' at the inference layer.
This incident highlights a critical security vulnerability where internal reasoning can be exposed, necessitating a hard-coded filter to strip CoT tokens before output.
RAG-based prompt injection will become a primary focus for AI red-teaming.
The ease with which a simple RAG query triggered a system prompt leak demonstrates that current RAG pipelines lack sufficient sanitization of retrieved data.
โณ Timeline
2023-12
Google announces Gemini 1.0, introducing native multimodal reasoning capabilities.
2024-05
Google releases Gemini 1.5 Pro with an expanded 1-million-token context window.
2025-09
Google introduces Gemma 3, the latest iteration of their open-weights model family.
2026-03
Users report Gemini Pro leaking internal CoT and system prompts during RAG-heavy tasks.
๐ฐ
Weekly AI Recap
Read this week's curated digest of top AI events โ
๐Related Updates
AI-curated news aggregator. All content rights belong to original publishers.
Original source: Reddit r/LocalLLaMA โ