371/68 Monday, September 29, 2025
Researchers from Noma Labs have disclosed a critical vulnerability in Salesforce Agentforce, dubbed “ForcedLeak” (CVSS 9.4), which could be exploited through indirect prompt injection attacks to gain access to sensitive CRM data. The flaw affects organizations that have enabled the Web-to-Lead feature, stemming from insufficient AI context validation, over-compliance with injected instructions, and bypasses of Content Security Policy (CSP). This allows attackers to hide malicious commands within website forms.
The attack mechanism involves embedding hidden commands into the Description field of the Web-to-Lead form, which supports up to 42,000 characters. When employees query the AI about such a lead, Agentforce interprets the context and may execute the concealed instructions without distinction. For example, it could be tricked into exposing customer emails and embedding them within an <img> tag pointing to an attacker-controlled server. Notably, Salesforce’s CSP included expired domains in its allowlist, enabling attackers to exfiltrate data covertly.
Salesforce was informed of the vulnerability on July 28, 2025, acknowledged it on July 31, 2025, and subsequently deployed enhanced security measures-Trusted URLs Enforcement for Agentforce and Einstein AI-on September 8, 2025. The issue was made public on September 25, 2025.
This incident underscores the security risks inherent in AI-driven business tools and highlights the urgent need for proactive AI security and governance measures to mitigate evolving threats.
