
ChatML Role Injection (CRI)
Insecure handling of OpenAI's ChatML JSON schemas can allow attackers to inject their own system roles into the messages array. This silently overrides developer-supplied instructions, coercing the model into unintended behaviors. Attackers can also abuse the system role to call hidden or unauthorized tools or functions that the