Jump to pattern

Parent Expansion Pulls In Adjacent Injections

Why retrieving child chunks and expanding to parents brings in surrounding attack content

The Conventional Framing

Parent-Child chunking stores documents at multiple granularities. Small "child" chunks enable precise retrieval. When a child matches, the larger "parent" chunk is retrieved for context.

The pattern balances retrieval precision with context richness.

Why This Expands Attack Surface

Parent expansion includes content that wasn't matched—including potential injections in adjacent sections. An attacker can place injections in content that won't match benign queries but will be pulled in via parent expansion.

The parent chunk is trusted because the child was relevant. But relevance of one section doesn't guarantee safety of adjacent sections.

Architecture

Components:

Child chunks— small, precise retrieval units
Parent chunks— larger context containing children
Expansion logic— retrieves parent when child matches

Trust Boundaries

Parent document: ┌─────────────────────────────────────────────────────────┐ │ Child 1: [Benign content about policy] │ │ Child 2: [Matched - answers user's question] ← HIT │ │ Child 3: [INJECTION placed here] ← PULLED IN │ └─────────────────────────────────────────────────────────┘ The injection in Child 3 wasn't matched by the query. It comes in for free via parent expansion.

Query → Child match — clean query finds clean child
Child → Parent expansion — brings in unmatched siblings
Parent → Context — full parent includes potential injections

Threat Surface

Threat	Vector	Impact
Adjacent injection	Place injection near content that will be retrieved	Injection pulled in via parent expansion
Hitchhiking attack	Injection doesn't match but rides along with legitimate content	Bypass query-based filtering
Context pollution	Parent contains more attack surface than child	Expanded context has higher injection density

The ZIVIS Position

•
Expansion expands attack surface.Every bit of content you add via parent expansion is content that wasn't directly matched—and may contain injections.
•
Consider selective expansion.Don't blindly include the entire parent. Expand only to relevant surrounding content, not arbitrary adjacent chunks.
•
Scan parents for injections.If you expand to parents, apply injection detection to the expanded content, not just the matched children.

What We Tell Clients

Parent-child chunking improves context but expands attack surface. Content that wasn't matched—including potential injections—comes along with parent expansion.

If you use this pattern, be aware that attackers can position injections adjacent to content that will be retrieved. Consider limiting expansion or scanning expanded content for injections.

Related Patterns

Naive RAG— simpler chunking without parent-child
Recursive Retrieval— following references, similar expansion issues