attack 2025

Jailbreaking Multimodal Large Language Models via Shuffle Inconsistency

Shiji Zhao 1, Ranjie Duan 2, Fengxiang Wang 2, Chi Chen 1, Caixin Kang 1, Shouwei Ruan 1, Jialing Tao 2, YueFeng Chen 2, Hui Xue 2, Xingxing Wei 1

1 Beihang University

2 Alibaba Group

0 citations
α

Published on arXiv

2501.04931

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

SI-Attack achieves notably higher attack success rates on commercial closed-source MLLMs like GPT-4o and Claude-3.5-Sonnet compared to prior jailbreak methods, exploiting the gap between comprehension and safety capabilities for shuffled inputs.

SI-Attack

Novel technique introduced

Multimodal Large Language Models (MLLMs) have achieved impressive performance and have been put into practical use in commercial applications, but they still have potential safety mechanism vulnerabilities. Jailbreak attacks are red teaming methods that aim to bypass safety mechanisms and discover MLLMs' potential risks. Existing MLLMs' jailbreak methods often bypass the model's safety mechanism through complex optimization methods or carefully designed image and text prompts. Despite achieving some progress, they have a low attack success rate on commercial closed-source MLLMs. Unlike previous research, we empirically find that there exists a Shuffle Inconsistency between MLLMs' comprehension ability and safety ability for the shuffled harmful instruction. That is, from the perspective of comprehension ability, MLLMs can understand the shuffled harmful text-image instructions well. However, they can be easily bypassed by the shuffled harmful instructions from the perspective of safety ability, leading to harmful responses. Then we innovatively propose a text-image jailbreak attack named SI-Attack. Specifically, to fully utilize the Shuffle Inconsistency and overcome the shuffle randomness, we apply a query-based black-box optimization method to select the most harmful shuffled inputs based on the feedback of the toxic judge model. A series of experiments show that SI-Attack can improve the attack's performance on three benchmarks. In particular, SI-Attack can obviously improve the attack success rate for commercial MLLMs such as GPT-4o or Claude-3.5-Sonnet.

Key Contributions

  • Discovers 'Shuffle Inconsistency': MLLMs comprehend shuffled harmful text-image instructions but their safety mechanisms fail to block them
  • Proposes SI-Attack, a query-based black-box jailbreak that uses a toxic judge model to select the most harmful shuffled input configurations
  • Demonstrates improved attack success rates on commercial closed-source MLLMs (GPT-4o, Claude-3.5-Sonnet) across three benchmarks

🛡️ Threat Analysis

Details

Domains
multimodalnlp
Model Types
vlmllm
Threat Tags
black_boxinference_timetargeted
Datasets
three jailbreak benchmarks (unspecified in abstract)
Applications
multimodal llm safetycommercial mllm apis (gpt-4o, claude-3.5-sonnet)
Read PDF arXiv

Similar Papers

attack

JPRO: Automated Multimodal Jailbreaking via Multi-Agent Collaboration Framework

2025 0 cit.
100%
attack

Gaming the Judge: Unfaithful Chain-of-Thought Can Undermine Agent Evaluation

2026 1 cit.
100%
attack

The Emotional Baby Is Truly Deadly: Does your Multimodal Large Reasoning Model Have Emotional Flattery towards Humans?

2025 0 cit.
100%
attack

Text is All You Need for Vision-Language Model Jailbreaking

2026 0 cit.
100%
attack

Multi-Turn Adaptive Prompting Attack on Large Vision-Language Models

2026 0 cit.
100%
attack

Multimodal Safety Is Asymmetric: Cross-Modal Exploits Unlock Black-Box MLLMs Jailbreaks

2025 1 cit.
93%
benchmark

SafeMT: Multi-turn Safety for Multimodal Language Models

2025 3 cit.
86%
attack

VRSA: Jailbreaking Multimodal Large Language Models through Visual Reasoning Sequential Attack

2025 0 cit.
81%