Skip to main content

Finding: SVG bypasses DLP inspection

Summary

On the tested AIRS profile, wrapping sensitive data in a valid SVG document causes the DLP engine to be skipped entirely. The exact same data, sent as plaintext, is blocked. Injection / toxic-content / malicious-code detectors still run on SVG content — only DLP is bypassed.

ProductPalo Alto Prisma AIRS (AI Runtime Security), AI-Runtime-API
Tested viaairs CLI v2.7.0 (airs runtime scan)
ProfileAI Gateway - Dev - Strict (DLP policy data-leak-detection.action = block)
Date2026-05-21
SeverityHigh — undetected exfiltration of sensitive data
Data usedSynthetic only (reserved test SSN, Visa test PAN, etc.)

Impact

Any sensitive data placed inside a namespaced <svg> element passes DLP undetected — whether the data is in markup (<metadata>, <desc>, comments), hidden <text>, or fully visible rendered text. This is a clean DLP exfiltration channel for a data-loss policy that otherwise blocks the same content. (Prompt-injection and script payloads inside SVG are still caught, so the gap is specific to DLP.)

Evidence

Identical PII, two carriers, same profile:

CaseInputResultScan ID
ControlSSN 078-05-1120 Visa 4111 1111 1111 1111 (plaintext)BLOCK · dlp3c6b14b0-6708-4cb8-b50c-3da047b14b42
Bypass<svg xmlns="http://www.w3.org/2000/svg">SSN 078-05-1120 Visa 4111 1111 1111 1111</svg>ALLOW · benign0bd75bae-cb7f-4b83-8f7c-ed1d94ec3071

Profile DLP is confirmed enabled: policy → ai-security-profiles[0] → model-configuration → data-protection → data-leak-detection → action: "block".

Reproduction

# blocked (dlp)
airs runtime scan --profile "AI Gateway - Dev - Strict" \
"SSN 078-05-1120 Visa 4111 1111 1111 1111"

# allowed (bypass) — identical data wrapped in a namespaced SVG
airs runtime scan --profile "AI Gateway - Dev - Strict" \
'<svg xmlns="http://www.w3.org/2000/svg">SSN 078-05-1120 Visa 4111 1111 1111 1111</svg>'

Root cause — isolated by probe

The trigger is SVG document classification (an <svg> root with the SVG namespace), not XML tags in general, and not the namespace string alone. DLP is then skipped — even for visibly-rendered PII (so it is not an OCR-only path; DLP is simply not applied).

ProbeDLP fires?
plaintext / pipe-delimited markers✅ block
markers in bare <text>…</text> tags (no <svg>)✅ block
generic XML <root>…</root>✅ block
<svg>…</svg> without namespace✅ block
namespace string alone (no <svg tag)✅ block
<svg xmlns="http://www.w3.org/2000/svg">…</svg>allow
namespaced SVG with PII as large visible textallow

Cross-detector behavior (full SVG corpus)

Same result whether submitted as raw SVG text or base64 — confirming AIRS does read SVG content; only the DLP detector is gated out:

SVG fileOutcome
svg_mal_1_dlp (sensitive data only)ALLOW — bypass
svg_mal_2_prompt_injectionBLOCK (injection)
svg_mal_3_system_promptBLOCK (injection)
svg_mal_4_exfil_injectionBLOCK (injection, toxic_content)
svg_mal_5_script_xssBLOCK (injection, toxic_content)
svg_benign_1/2ALLOW (correct)

Recommendation

SVG is XML/text, not a raster image. AIRS should apply DLP text inspection to SVG content (extract and scan text nodes / attributes / <metadata> / <desc> / comments), or route SVG through the same text DLP path used for plaintext — rather than classifying it as an image and skipping DLP.