ML Security PapersContextual Image Attack: How Visual Context Exposes Multimodal Safety Vulnerabilities
Yuan Xiong 1,2, Ziqi Miao 1, Lijun Li 1,3, Chen Qian 1,3, Jie Li 1, Jing Shao 1
Published on arXiv
2512.02973
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
CIA achieves toxicity scores of 4.73 and 4.83 with ASRs of 86.31% and 91.07% against GPT-4o and Qwen2.5-VL-72B, significantly outperforming prior jailbreak methods.
CIA (Contextual Image Attack)
Novel technique introduced
While Multimodal Large Language Models (MLLMs) show remarkable capabilities, their safety alignments are susceptible to jailbreak attacks. Existing attack methods typically focus on text-image interplay, treating the visual modality as a secondary prompt. This approach underutilizes the unique potential of images to carry complex, contextual information. To address this gap, we propose a new image-centric attack method, Contextual Image Attack (CIA), which employs a multi-agent system to subtly embeds harmful queries into seemingly benign visual contexts using four distinct visualization strategies. To further enhance the attack's efficacy, the system incorporate contextual element enhancement and automatic toxicity obfuscation techniques. Experimental results on the MMSafetyBench-tiny dataset show that CIA achieves high toxicity scores of 4.73 and 4.83 against the GPT-4o and Qwen2.5-VL-72B models, respectively, with Attack Success Rates (ASR) reaching 86.31\% and 91.07\%. Our method significantly outperforms prior work, demonstrating that the visual modality itself is a potent vector for jailbreaking advanced MLLMs.
Key Contributions
- Proposes CIA, an image-centric jailbreak using four distinct visualization strategies to embed harmful queries into benign-looking visual contexts
- Introduces a multi-agent pipeline with contextual element enhancement and automatic toxicity obfuscation to maximize attack efficacy
- Demonstrates state-of-the-art ASR of 86.31% and 91.07% against GPT-4o and Qwen2.5-VL-72B on MMSafetyBench-tiny