Full Report
Microsoft has disclosed details of a novel side-channel attack targeting remote language models that could enable a passive adversary with capabilities to observe network traffic to glean details about model conversation topics despite encryption protections under certain circumstances. This leakage of data exchanged between humans and streaming-mode language models could pose serious risks to
Analysis Summary
# Vulnerability: Whisper Leak Side-Channel Attack on Remote Language Models
## CVE Details
- CVE ID: Not specified in the provided text. (This is a newly disclosed academic/vendor finding.)
- CVSS Score: Not specified in the provided text.
- CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (Likely applicable due to information leakage).
## Affected Systems
- Products: Remote Language Models (LLMs) utilizing streaming-mode responses. The vulnerability impacts models from **Mistral, xAI, DeepSeek, and OpenAI** that were tested.
- Versions: Not specified, generally affecting the streaming response mechanisms of these models prior to vendor patching.
- Configurations: Any configuration where a user communicates with an LLM service over an encrypted connection (e.g., HTTPS/TLS) where the traffic is observable by a passive adversary.
## Vulnerability Description
Whisper Leak is a novel side-channel attack that targets **streaming-mode language models** (LLMs). A passive adversary observing encrypted network traffic (e.g., via ISP, local network monitoring) can infer details about the user's conversation topic. The attack works by analyzing the **sequence of encrypted packet sizes and inter-arrival times** generated while the model streams its response. These metadata patterns contain sufficient information to train a classifier to reliably determine if the initial prompt topic matches a sensitive target category, even though the communication is protected by HTTPS encryption.
## Exploitation
- Status: Proof-of-Concept (PoC) available (Trained binary classifiers demonstrated high accuracy).
- Complexity: Medium. Requires network observation capability and access to training data (or ability to collect real user conversation samples over time to refine the classifier).
- Attack Vector: Network (Passive adversary monitoring TLS traffic).
## Impact
- Confidentiality: **High**. Sensitive conversation topics (e.g., political dissent, money laundering queries) can be reliably inferred by a passive network observer.
- Integrity: Low (The attack is focused on observation, not modification).
- Availability: None (The service remains operational).
## Remediation
### Patches
- Vendors (OpenAI, Mistral, Microsoft, xAI) **have deployed mitigations** following responsible disclosure. Specific version numbers for the patched models/services are not detailed in the text.
### Workarounds
- The text implies the core issue relates to packet size/timing artifacts from token streaming. Effective general workarounds are not explicitly detailed, but vendor mitigations likely address this by modifying stream packetization or adding noise/padding.
## Detection
- **Indicators of Compromise:** Detection would rely on monitoring egress traffic patterns for anomalous timing sequences or packet size distributions correlated with specific endpoints known to host LLM services.
- **Detection Methods and Tools:** Specialized network intrusion detection systems (NIDS) capable of deep analysis of TLS packet metadata (size and timing) might be adaptable, though this requires custom signature updates tailored to the specific LLM streaming profiles. Training custom ML models to detect known "Whisper Leak" patterns could also be a strategy.
## References
- Vendor Advisories: Microsoft Security Blog post on Whisper Leak (Dated Nov 07, 2025).
- Relevant Links:
- Research Paper (arXiv): hxxps://arxiv.org/abs/2511.03675
- Microsoft Blog: hxxps://www.microsoft.com/en-us/security/blog/2025/11/07/whisper-leak-a-novel-side-channel-cyberattack-on-remote-language-models/