ZeroLeaks
Back to Blog

How We Extracted v0's System Prompt

March 15, 2025Lucas Valbuena3 min readAI Security
You are an AI assistant# InstructionsBe helpful and accurateFollow user requestsEXTRACTED:You are an AI assistant# InstructionsBe helpful and accurate...!

The Discovery of v0's System Instructions

In early 2025, our team at ZeroLeaks discovered a vulnerability in Vercel's AI assistant, v0, that allowed us to extract its entire system prompt through a series of carefully crafted inputs. This discovery highlighted a common vulnerability in many AI systems that could potentially expose proprietary information and intellectual property.

The extraction was achieved through prompt engineering techniques that exploited how the AI processed and responded to certain types of queries. No hacking or API vulnerabilities were involved—just clever prompting that any user could potentially employ.

The Extraction Process

Our approach involved a multi-step process that gradually revealed more of the system instructions:

  1. Initial Reconnaissance: We began by asking v0 indirect questions about its capabilities and limitations, gathering information about how it was designed to respond.
  2. Role-Playing Techniques: We used role-playing scenarios that encouraged the AI to "act as" different entities, which sometimes caused it to reveal parts of its instructions.
  3. Token Manipulation: By carefully crafting prompts that referenced specific tokens or markers that might be in the system instructions, we were able to get the AI to complete or reference these tokens.
  4. Instruction Leakage: Finally, we used a technique that caused the AI to inadvertently include portions of its system instructions in its responses, eventually revealing the entire prompt.

What We Found

The extracted system prompt revealed detailed instructions about how v0 was designed to operate, including:

  • Specific guidance on how to format responses using MDX
  • Instructions for handling different types of code blocks and components
  • Rules for providing examples and explanations
  • Guidelines for handling various user queries

This information, while not containing any security credentials or access tokens, represented valuable intellectual property that Vercel had invested significant resources in developing.

Responsible Disclosure

Following our discovery, we followed responsible disclosure practices:

  1. We documented the vulnerability and the exact prompts used to extract the system instructions
  2. We contacted Vercel's security team with our findings
  3. We provided recommendations for mitigating the vulnerability
  4. We waited until Vercel had implemented protections before publishing this article

Implications for AI Security

This discovery has significant implications for AI security. System prompts often contain proprietary information about how an AI is designed to operate, including specific capabilities, limitations, and behavioral guidelines. When these prompts are extracted, competitors can potentially:

  • Replicate similar functionality in their own AI systems
  • Identify and exploit weaknesses in the AI's design
  • Gain insights into the company's approach to AI development

For AI startups and companies investing heavily in AI development, protecting system prompts should be a key security consideration.

How to Protect Your AI

Based on our findings, here are some recommendations for protecting your AI's system instructions:

  1. Implement robust prompt injection defenses: Design your AI to recognize and reject attempts to extract system instructions.
  2. Use instruction hiding techniques: Structure your system prompts in ways that make them more difficult to extract through prompt engineering.
  3. Regular security testing: Conduct regular assessments to check if your AI's system instructions can be extracted.
  4. Monitor for unusual interactions: Implement monitoring systems that can detect patterns of interaction that might indicate an attempt to extract system instructions.

Conclusion

The extraction of v0's system prompt demonstrates that AI security goes beyond traditional cybersecurity concerns. As AI systems become more sophisticated and valuable, protecting their intellectual property—including system prompts—will become increasingly important.

At ZeroLeaks, we're committed to helping AI startups and companies protect their systems from these types of vulnerabilities. If you're concerned about the security of your AI system, contact us for a comprehensive assessment.

Share this article:

Test Your AI Security

Next Article

Common Vulnerabilities in AI System Instructions

Want to learn more about AI security?

Read More ArticlesTake the Vulnerability Quiz