LMVD-ID: 3f4248c0
Published April 1, 2025

Dual Jailbreak via TDI/MTO

prompt-layer
jailbreak
blackbox
safety
integrity
Affected Models:gpt-4-0613, gpt-3.5-turbo-0125, llama3-8b-instruct, qwen-2.5-7b-instruct

Research Paper

DualBreach: Efficient Dual-Jailbreaking via Target-Driven Initialization and Multi-Target Optimization

View Paper

Description: A vulnerability exists in the combination of Large Language Models (LLMs) and their associated safety guardrails, allowing attackers to bypass both defenses and elicit harmful or unintended outputs from LLMs. The vulnerability stems from insufficient detection by guardrails against adversarially crafted prompts, which appear benign but contain hidden malicious intent. The attack, dubbed "DualBreach," leverages a target-driven initialization strategy and multi-target optimization to generate these prompts, effectively bypassing both the guardrail and LLM's internal safety mechanisms.

Examples: See arXiv:2405.18540 for specific examples of adversarial prompts generated by DualBreach and their success rate in bypassing various LLMs and guardrails (LlamaGuard-3, Nvidia NeMo, Guardrails AI, OpenAI Moderation API, Google Moderation API). The paper provides examples targeting GPT-3.5, GPT-4, Llama-3, and Qwen-2.5.

Impact: Successful exploitation of this vulnerability could lead to the generation of harmful content, including but not limited to: hate speech, misinformation, instructions for illegal activities, and personal information disclosure. This could have significant consequences for users and the reputation of LLM-based applications. The low average query count (1.77) needed for a successful attack makes the exploit easier to carry out.

Affected Systems: A wide range of LLMs and guardrail systems are impacted, including but not limited to those specifically tested in the referenced research (GPT-3.5, GPT-4, Llama-3, Qwen-2.5, LlamaGuard-3, Nvidia NeMo, Guardrails AI, OpenAI Moderation API, Google Moderation API). The vulnerability is likely applicable to other similar systems.

Mitigation Steps:

  • Improve guardrail detection mechanisms to better identify subtle malicious intent hidden within seemingly benign prompts.
  • Develop more robust and diverse defensive strategies that go beyond keyword-based filtering or basic pattern matching. Consider ensemble methods for guardrails, like the EG UARD approach described in the paper.
  • Employ advanced detection techniques that analyze the semantic meaning and context of prompts, rather than relying solely on lexical features.
  • Implement a system for monitoring query patterns and detecting suspicious activity, such as frequent similar queries or those clearly attempting to bypass safety mechanisms. Limit the number of queries allowed per user within a defined time frame.
  • Regularly update and refine LLMs and guardrails based on emerging attack techniques and vulnerabilities.

© 2025 Promptfoo. All rights reserved.