Table of Contents
Fetching ...

The Tower of Babel Revisited: Multilingual Jailbreak Prompts on Closed-Source Large Language Models

Linghan Huang, Haolin Jin, Zhaoge Bi, Pengyue Yang, Peizhou Zhao, Taozhao Chen, Xiongfei Wu, Lei Ma, Huaming Chen

TL;DR

The paper presents the first systematic, multilingual jailbreak evaluation of frontier closed-source LLMs, assessing defensiveness against carefully crafted prompts in English and Chinese across four leading systems. By introducing an integrated attack framework with four novel prompt structures and a 32-question forbidden set, the study quantifies safety via Attack Success Rate (ASR) and reveals substantial cross-lingual vulnerabilities, notably higher ASR in Chinese prompts. Across models, GPT-4o demonstrates the strongest safeguards, while Qwen-Max shows the weakest defenses, with Two Sides prompts consistently delivering the strongest attack penetration. The findings underscore the need for language-aware alignment, multilingual safety benchmarks, and robust guardrails that operate across languages, plus directions for explainable white-box attacks and enhanced human-in-the-loop evaluation to improve real-world robustness.

Abstract

Large language models (LLMs) have seen widespread applications across various domains, yet remain vulnerable to adversarial prompt injections. While most existing research on jailbreak attacks and hallucination phenomena has focused primarily on open-source models, we investigate the frontier of closed-source LLMs under multilingual attack scenarios. We present a first-of-its-kind integrated adversarial framework that leverages diverse attack techniques to systematically evaluate frontier proprietary solutions, including GPT-4o, DeepSeek-R1, Gemini-1.5-Pro, and Qwen-Max. Our evaluation spans six categories of security contents in both English and Chinese, generating 38,400 responses across 32 types of jailbreak attacks. Attack success rate (ASR) is utilized as the quantitative metric to assess performance from three dimensions: prompt design, model architecture, and language environment. Our findings suggest that Qwen-Max is the most vulnerable, while GPT-4o shows the strongest defense. Notably, prompts in Chinese consistently yield higher ASRs than their English counterparts, and our novel Two-Sides attack technique proves to be the most effective across all models. This work highlights a dire need for language-aware alignment and robust cross-lingual defenses in LLMs, and we hope it will inspire researchers, developers, and policymakers toward more robust and inclusive AI systems.

The Tower of Babel Revisited: Multilingual Jailbreak Prompts on Closed-Source Large Language Models

TL;DR

The paper presents the first systematic, multilingual jailbreak evaluation of frontier closed-source LLMs, assessing defensiveness against carefully crafted prompts in English and Chinese across four leading systems. By introducing an integrated attack framework with four novel prompt structures and a 32-question forbidden set, the study quantifies safety via Attack Success Rate (ASR) and reveals substantial cross-lingual vulnerabilities, notably higher ASR in Chinese prompts. Across models, GPT-4o demonstrates the strongest safeguards, while Qwen-Max shows the weakest defenses, with Two Sides prompts consistently delivering the strongest attack penetration. The findings underscore the need for language-aware alignment, multilingual safety benchmarks, and robust guardrails that operate across languages, plus directions for explainable white-box attacks and enhanced human-in-the-loop evaluation to improve real-world robustness.

Abstract

Large language models (LLMs) have seen widespread applications across various domains, yet remain vulnerable to adversarial prompt injections. While most existing research on jailbreak attacks and hallucination phenomena has focused primarily on open-source models, we investigate the frontier of closed-source LLMs under multilingual attack scenarios. We present a first-of-its-kind integrated adversarial framework that leverages diverse attack techniques to systematically evaluate frontier proprietary solutions, including GPT-4o, DeepSeek-R1, Gemini-1.5-Pro, and Qwen-Max. Our evaluation spans six categories of security contents in both English and Chinese, generating 38,400 responses across 32 types of jailbreak attacks. Attack success rate (ASR) is utilized as the quantitative metric to assess performance from three dimensions: prompt design, model architecture, and language environment. Our findings suggest that Qwen-Max is the most vulnerable, while GPT-4o shows the strongest defense. Notably, prompts in Chinese consistently yield higher ASRs than their English counterparts, and our novel Two-Sides attack technique proves to be the most effective across all models. This work highlights a dire need for language-aware alignment and robust cross-lingual defenses in LLMs, and we hope it will inspire researchers, developers, and policymakers toward more robust and inclusive AI systems.
Paper Structure (49 sections, 9 figures, 8 tables)

This paper contains 49 sections, 9 figures, 8 tables.

Figures (9)

  • Figure 1: Example of jailbreak prompt
  • Figure 2: Overview of workflow.
  • Figure 3: Semantic Similarity
  • Figure 4: An overview of Jailbreak structure and ablation studies
  • Figure 5: Example of attack questions
  • ...and 4 more figures