attack 2025

MetaBreak: Jailbreaking Online LLM Services via Special Token Manipulation

Wentian Zhu , Zhen Xiang , Wei Niu , Le Guan

University of Georgia

0 citations · 53 references · arXiv
α

Published on arXiv

2510.10271

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

MetaBreak outperforms SOTA jailbreak methods PAP and GPTFuzzer by 11.6% and 34.8% respectively when content moderation is deployed, and synergistically boosts their jailbreak rates when combined.

MetaBreak

Novel technique introduced

Unlike regular tokens derived from existing text corpora, special tokens are artificially created to annotate structured conversations during the fine-tuning process of Large Language Models (LLMs). Serving as metadata of training data, these tokens play a crucial role in instructing LLMs to generate coherent and context-aware responses. We demonstrate that special tokens can be exploited to construct four attack primitives, with which malicious users can reliably bypass the internal safety alignment of online LLM services and circumvent state-of-the-art (SOTA) external content moderation systems simultaneously. Moreover, we found that addressing this threat is challenging, as aggressive defense mechanisms-such as input sanitization by removing special tokens entirely, as suggested in academia-are less effective than anticipated. This is because such defense can be evaded when the special tokens are replaced by regular ones with high semantic similarity within the tokenizer's embedding space. We systemically evaluated our method, named MetaBreak, on both lab environment and commercial LLM platforms. Our approach achieves jailbreak rates comparable to SOTA prompt-engineering-based solutions when no content moderation is deployed. However, when there is content moderation, MetaBreak outperforms SOTA solutions PAP and GPTFuzzer by 11.6% and 34.8%, respectively. Finally, since MetaBreak employs a fundamentally different strategy from prompt engineering, the two approaches can work synergistically. Notably, empowering MetaBreak on PAP and GPTFuzzer boosts jailbreak rates by 24.3% and 20.2%, respectively.

Key Contributions

  • Identifies four attack primitives constructed from special token manipulation that bypass both internal LLM safety alignment and external content moderation simultaneously
  • Demonstrates that input sanitization defenses (removing special tokens) are insufficient, as special tokens can be replaced with semantically similar regular tokens in embedding space
  • Shows MetaBreak is synergistic with prompt-engineering jailbreaks (PAP, GPTFuzzer), boosting their jailbreak rates by 24.3% and 20.2% respectively when combined

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llmtransformer
Threat Tags
black_boxinference_timetargeted
Datasets
AdvBench
Applications
llm chatbotsonline llm servicescontent moderation systems
Read PDF arXiv DOI

Similar Papers

attack

Let the Bees Find the Weak Spots: A Path Planning Perspective on Multi-Turn Jailbreak Attacks against LLMs

2025 0 cit.
100%
attack

Transferable Direct Prompt Injection via Activation-Guided MCMC Sampling

2025 0 cit.
100%
attack

Emoji-Based Jailbreaking of Large Language Models

2026 0 cit.
100%
attack

Distillability of LLM Security Logic: Predicting Attack Success Rate of Outline Filling Attack via Ranking Regression

2025 0 cit.
100%
attack

Is Reasoning Capability Enough for Safety in Long-Context Language Models?

2026 0 cit.
100%
attack

From Adversarial Poetry to Adversarial Tales: An Interpretability Research Agenda

2025 1 cit.
100%
attack

AIP: Subverting Retrieval-Augmented Generation via Adversarial Instructional Prompt

2025 0 cit.
100%
attack

Not All Tokens Are Created Equal: Query-Efficient Jailbreak Fuzzing for LLMs

2026 0 cit.
100%