Parent Expansion Pulls In Adjacent Injections
Why retrieving child chunks and expanding to parents brings in surrounding attack content
The Conventional Framing
Parent-Child chunking stores documents at multiple granularities. Small "child" chunks enable precise retrieval. When a child matches, the larger "parent" chunk is retrieved for context.
The pattern balances retrieval precision with context richness.
Why This Expands Attack Surface
Parent expansion includes content that wasn't matched—including potential injections in adjacent sections. An attacker can place injections in content that won't match benign queries but will be pulled in via parent expansion.
The parent chunk is trusted because the child was relevant. But relevance of one section doesn't guarantee safety of adjacent sections.
Architecture
Components:
- Child chunks— small, precise retrieval units
- Parent chunks— larger context containing children
- Expansion logic— retrieves parent when child matches
Trust Boundaries
- Query → Child match — clean query finds clean child
- Child → Parent expansion — brings in unmatched siblings
- Parent → Context — full parent includes potential injections
Threat Surface
| Threat | Vector | Impact |
|---|---|---|
| Adjacent injection | Place injection near content that will be retrieved | Injection pulled in via parent expansion |
| Hitchhiking attack | Injection doesn't match but rides along with legitimate content | Bypass query-based filtering |
| Context pollution | Parent contains more attack surface than child | Expanded context has higher injection density |
The ZIVIS Position
- •Expansion expands attack surface.Every bit of content you add via parent expansion is content that wasn't directly matched—and may contain injections.
- •Consider selective expansion.Don't blindly include the entire parent. Expand only to relevant surrounding content, not arbitrary adjacent chunks.
- •Scan parents for injections.If you expand to parents, apply injection detection to the expanded content, not just the matched children.
What We Tell Clients
Parent-child chunking improves context but expands attack surface. Content that wasn't matched—including potential injections—comes along with parent expansion.
If you use this pattern, be aware that attackers can position injections adjacent to content that will be retrieved. Consider limiting expansion or scanning expanded content for injections.
Related Patterns
- Naive RAG— simpler chunking without parent-child
- Recursive Retrieval— following references, similar expansion issues