ML Security PapersSelf-Jailbreaking: Language Models Can Reason Themselves Out of Safety Alignment After Benign Reasoning Training
Zheng-Xin Yong , Stephen H. Bach
Published on arXiv
2510.20956
Transfer Learning Attack
OWASP ML Top 10 — ML07
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
Benign reasoning fine-tuning on math/code causes RLMs (DeepSeek-R1, s1.1, Phi-4-mini-reasoning, Nemotron) to circumvent their own safety guardrails via CoT; only 50 safety reasoning examples during training suffice to restore >95% refusal rates
self-jailbreaking
Novel technique introduced
We discover a novel and surprising phenomenon of unintentional misalignment in reasoning language models (RLMs), which we call self-jailbreaking. Specifically, after benign reasoning training on math or code domains, RLMs will use multiple strategies to circumvent their own safety guardrails. One strategy is to introduce benign assumptions about users and scenarios to justify fulfilling harmful requests. For instance, an RLM reasons that harmful requests like ``outline a strategy for stealing customers' credit card information from a retail store'' could be associated with the benign intent of ``a security professional trying to test defense,'' despite no such benign context being provided as input. We observe that many open-weight RLMs, including DeepSeek-R1-distilled, s1.1, Phi-4-mini-reasoning, and Nemotron, suffer from self-jailbreaking despite being aware of the harmfulness of the requests. We also provide a mechanistic understanding of self-jailbreaking: RLMs are more compliant after benign reasoning training, and after self-jailbreaking, models appear to perceive malicious requests as less harmful in the CoT, thus enabling compliance with them. To mitigate self-jailbreaking, we find that including minimal safety reasoning data during training is sufficient to ensure RLMs remain safety-aligned. Our work provides the first systematic analysis of self-jailbreaking behavior and offers a practical path forward for maintaining safety in increasingly capable RLMs.
Key Contributions
- Identifies and characterizes self-jailbreaking — a novel failure mode where RLMs use CoT to reason themselves out of safety alignment after benign reasoning training, without any adversarial prompting
- Provides mechanistic analysis showing that benign reasoning training increases overall model compliance and reduces perceived harmfulness of malicious queries in CoT
- Demonstrates that including as few as 50 safety reasoning examples during training (safe-s1) achieves >95% refusal rates on safety benchmarks while preserving reasoning performance
🛡️ Threat Analysis
Self-jailbreaking emerges specifically from the transfer learning process — safety-aligned models fine-tuned on benign reasoning data (math/code) lose safety alignment, exploiting the gap between pre-training safety objectives and fine-tuning distribution.