Table of Contents
Fetching ...

Odysseus: Jailbreaking Commercial Multimodal LLM-integrated Systems via Dual Steganography

Songze Li, Jiameng Cheng, Yiming Li, Xiaojun Jia, Dacheng Tao

TL;DR

The paper identifies a critical blind spot in safety defenses for multimodal LLM-integrated systems: malicious content can be hidden in non-textual modalities. It introduces Odysseus, a dual-steganography jailbreak that covertly embeds malicious queries and responses in images at both input and output stages, leveraging function-calling to extract and reconstruct payloads. Through evaluations on GPT-4o, Gemini-2.0, and Grok-3 across SafeBench and JailbreakBench datasets, Odysseus achieves high attack success rates (up to 99%) while maintaining stealth against steganalysis and image transformations, revealing a fundamental cross-modal security gap. The work argues for reevaluating security defenses to account for implicit, cross-modal threats and to develop detectors beyond traditional input/output safety filters.

Abstract

By integrating language understanding with perceptual modalities such as images, multimodal large language models (MLLMs) constitute a critical substrate for modern AI systems, particularly intelligent agents operating in open and interactive environments. However, their increasing accessibility also raises heightened risks of misuse, such as generating harmful or unsafe content. To mitigate these risks, alignment techniques are commonly applied to align model behavior with human values. Despite these efforts, recent studies have shown that jailbreak attacks can circumvent alignment and elicit unsafe outputs. Currently, most existing jailbreak methods are tailored for open-source models and exhibit limited effectiveness against commercial MLLM-integrated systems, which often employ additional filters. These filters can detect and prevent malicious input and output content, significantly reducing jailbreak threats. In this paper, we reveal that the success of these safety filters heavily relies on a critical assumption that malicious content must be explicitly visible in either the input or the output. This assumption, while often valid for traditional LLM-integrated systems, breaks down in MLLM-integrated systems, where attackers can leverage multiple modalities to conceal adversarial intent, leading to a false sense of security in existing MLLM-integrated systems. To challenge this assumption, we propose Odysseus, a novel jailbreak paradigm that introduces dual steganography to covertly embed malicious queries and responses into benign-looking images. Extensive experiments on benchmark datasets demonstrate that our Odysseus successfully jailbreaks several pioneering and realistic MLLM-integrated systems, achieving up to 99% attack success rate. It exposes a fundamental blind spot in existing defenses, and calls for rethinking cross-modal security in MLLM-integrated systems.

Odysseus: Jailbreaking Commercial Multimodal LLM-integrated Systems via Dual Steganography

TL;DR

The paper identifies a critical blind spot in safety defenses for multimodal LLM-integrated systems: malicious content can be hidden in non-textual modalities. It introduces Odysseus, a dual-steganography jailbreak that covertly embeds malicious queries and responses in images at both input and output stages, leveraging function-calling to extract and reconstruct payloads. Through evaluations on GPT-4o, Gemini-2.0, and Grok-3 across SafeBench and JailbreakBench datasets, Odysseus achieves high attack success rates (up to 99%) while maintaining stealth against steganalysis and image transformations, revealing a fundamental cross-modal security gap. The work argues for reevaluating security defenses to account for implicit, cross-modal threats and to develop detectors beyond traditional input/output safety filters.

Abstract

By integrating language understanding with perceptual modalities such as images, multimodal large language models (MLLMs) constitute a critical substrate for modern AI systems, particularly intelligent agents operating in open and interactive environments. However, their increasing accessibility also raises heightened risks of misuse, such as generating harmful or unsafe content. To mitigate these risks, alignment techniques are commonly applied to align model behavior with human values. Despite these efforts, recent studies have shown that jailbreak attacks can circumvent alignment and elicit unsafe outputs. Currently, most existing jailbreak methods are tailored for open-source models and exhibit limited effectiveness against commercial MLLM-integrated systems, which often employ additional filters. These filters can detect and prevent malicious input and output content, significantly reducing jailbreak threats. In this paper, we reveal that the success of these safety filters heavily relies on a critical assumption that malicious content must be explicitly visible in either the input or the output. This assumption, while often valid for traditional LLM-integrated systems, breaks down in MLLM-integrated systems, where attackers can leverage multiple modalities to conceal adversarial intent, leading to a false sense of security in existing MLLM-integrated systems. To challenge this assumption, we propose Odysseus, a novel jailbreak paradigm that introduces dual steganography to covertly embed malicious queries and responses into benign-looking images. Extensive experiments on benchmark datasets demonstrate that our Odysseus successfully jailbreaks several pioneering and realistic MLLM-integrated systems, achieving up to 99% attack success rate. It exposes a fundamental blind spot in existing defenses, and calls for rethinking cross-modal security in MLLM-integrated systems.
Paper Structure (38 sections, 20 equations, 13 figures, 12 tables, 2 algorithms)

This paper contains 38 sections, 20 equations, 13 figures, 12 tables, 2 algorithms.

Figures (13)

  • Figure 1: Comparison of prior jailbreak attacks with Odysseus. Whereas earlier methods rely on explicitly or weakly disguised malicious text that can trigger safety filters, Odysseus stealthily embeds the malicious payload in a different modality ($i.e.$, an image) via steganography.
  • Figure 2: Overview of the Odysseus pipeline. The pipeline comprises four stages: (1) malicious query encoding, where the input query is encoded and converted into binary matrix suitable for embedding; (2) steganographic embedding, where the binary matrix is embedded into an image using an encoder; (3) model interaction, where the encoded image is sent to the MLLM-integrated system, which uses function calling to extract the prompt, generate a response, and re-embed the response into an image; and (4) response extraction, where the attacker decodes the returned message. Dashed arrows hereby indicate potential internal inference processes that are implicitly performed by the MLLM, without explicit exposure.
  • Figure 3: Successful jailbreak instance on commercial MLLM-integrated systems. The images from left to right are the cover image, the encoded image, and the modification visualization ($i.e.$, difference between these two images), respectively.
  • Figure 4: Attack success rate (ASR, %) across different content categories. Categories are defined by the JBB-Behaviors dataset, including #1 Malware, #2 Harassment, #3 Disinformation, #4 Fraud, #5 Sexual Content, #6 Physical Harm, #7 Economic Harm, #8 Government Decision, #9 Privacy, and #10 Expert Advice.
  • Figure 5: Ablation study results. (Left) and (middle): Attack success rate (ASR) comparison on steganography and cipher-only methods over SafeBench and JBB-Behaviors. (Right): Demonstrates the impact of different encoding algorithms on ASR.
  • ...and 8 more figures