Benign-to-Toxic Jailbreaking: Inducing Harmful Responses from Harmless Prompts
Journal:
arXiv
Published Date:
May 26, 2025
Abstract
Optimization-based jailbreaks typically adopt the Toxic-Continuation setting
in large vision-language models (LVLMs), following the standard next-token
prediction objective. In this setting, an adversarial image is optimized to
make the model predict the next token of a toxic prompt. However, we find that
the Toxic-Continuation paradigm is effective at continuing already-toxic
inputs, but struggles to induce safety misalignment when explicit toxic signals
are absent. We propose a new paradigm: Benign-to-Toxic (B2T) jailbreak. Unlike
prior work, we optimize adversarial images to induce toxic outputs from benign
conditioning. Since benign conditioning contains no safety violations, the
image alone must break the model's safety mechanisms. Our method outperforms
prior approaches, transfers in black-box settings, and complements text-based
jailbreaks. These results reveal an underexplored vulnerability in multimodal
alignment and introduce a fundamentally new direction for jailbreak approaches.
