Table of Contents
Fetching ...

Reasoning Hijacking: Subverting LLM Classification via Decision-Criteria Injection

Yuansen Liu, Yixuan Tang, Anthony Kum Hoe Tun

TL;DR

This work identifies a novel safety vulnerability in LLMs: Reasoning Hijacking, where attackers preserve the high-level task intent but subvert the model's decision-making by injecting spurious decision criteria. It introduces Criteria Attack, an automated data-channel manipulation that mines, clusters, and suffix-synthesizes refutable criteria to create misleading reasoning scaffolds that flip labels without altering the instruction. Through experiments across spam, toxic-comment, and negative-review classification, the authors demonstrate high attack success rates across multiple backbones and show robustness to standard goal-deviation defenses, revealing a blind spot in current safety frameworks. The findings advocate for reasoning-level defenses, such as monitoring reasoning drift and maintaining instruction-attention signals, to mitigate risks in real-world LLM deployments.

Abstract

Current LLM safety research predominantly focuses on mitigating Goal Hijacking, preventing attackers from redirecting a model's high-level objective (e.g., from "summarizing emails" to "phishing users"). In this paper, we argue that this perspective is incomplete and highlight a critical vulnerability in Reasoning Alignment. We propose a new adversarial paradigm: Reasoning Hijacking and instantiate it with Criteria Attack, which subverts model judgments by injecting spurious decision criteria without altering the high-level task goal. Unlike Goal Hijacking, which attempts to override the system prompt, Reasoning Hijacking accepts the high-level goal but manipulates the model's decision-making logic by injecting spurious reasoning shortcut. Though extensive experiments on three different tasks (toxic comment, negative review, and spam detection), we demonstrate that even newest models are prone to prioritize injected heuristic shortcuts over rigorous semantic analysis. The results are consistent over different backbones. Crucially, because the model's "intent" remains aligned with the user's instructions, these attacks can bypass defenses designed to detect goal deviation (e.g., SecAlign, StruQ), exposing a fundamental blind spot in the current safety landscape. Data and code are available at https://github.com/Yuan-Hou/criteria_attack

Reasoning Hijacking: Subverting LLM Classification via Decision-Criteria Injection

TL;DR

This work identifies a novel safety vulnerability in LLMs: Reasoning Hijacking, where attackers preserve the high-level task intent but subvert the model's decision-making by injecting spurious decision criteria. It introduces Criteria Attack, an automated data-channel manipulation that mines, clusters, and suffix-synthesizes refutable criteria to create misleading reasoning scaffolds that flip labels without altering the instruction. Through experiments across spam, toxic-comment, and negative-review classification, the authors demonstrate high attack success rates across multiple backbones and show robustness to standard goal-deviation defenses, revealing a blind spot in current safety frameworks. The findings advocate for reasoning-level defenses, such as monitoring reasoning drift and maintaining instruction-attention signals, to mitigate risks in real-world LLM deployments.

Abstract

Current LLM safety research predominantly focuses on mitigating Goal Hijacking, preventing attackers from redirecting a model's high-level objective (e.g., from "summarizing emails" to "phishing users"). In this paper, we argue that this perspective is incomplete and highlight a critical vulnerability in Reasoning Alignment. We propose a new adversarial paradigm: Reasoning Hijacking and instantiate it with Criteria Attack, which subverts model judgments by injecting spurious decision criteria without altering the high-level task goal. Unlike Goal Hijacking, which attempts to override the system prompt, Reasoning Hijacking accepts the high-level goal but manipulates the model's decision-making logic by injecting spurious reasoning shortcut. Though extensive experiments on three different tasks (toxic comment, negative review, and spam detection), we demonstrate that even newest models are prone to prioritize injected heuristic shortcuts over rigorous semantic analysis. The results are consistent over different backbones. Crucially, because the model's "intent" remains aligned with the user's instructions, these attacks can bypass defenses designed to detect goal deviation (e.g., SecAlign, StruQ), exposing a fundamental blind spot in the current safety landscape. Data and code are available at https://github.com/Yuan-Hou/criteria_attack
Paper Structure (40 sections, 3 equations, 6 figures, 6 tables)

This paper contains 40 sections, 3 equations, 6 figures, 6 tables.

Figures (6)

  • Figure 1: Comparison between Goal Hijacking and Reasoning Hijacking. Goal hijacking changes the task goal and is often caught by intent-based defenses; Reasoning Hijacking keeps the goal intact but injects spurious criteria that corrupt the decision and can bypass such defenses. Detailed case studies are provided in Appendix \ref{['app:case']}.
  • Figure 2: Criteria Attack pipeline. The attacker model mines and clusters criteria, selects refutable criteria for a target input, and generates a data-channel suffix that injects spurious decision rules to flip the victim model's label while keeping the instruction unchanged.
  • Figure 3: ASR of Criteria Attack with five different models as attacker and victim on three different tasks
  • Figure 4: Easier settings (higher base accuracy) tend to be more susceptible to Reasoning Hijacking. We plot base-task accuracy against average ASR of Criteria Attack: attacker capability (left) and victim vulnerability (right; higher ASR means less robust).
  • Figure 5: The Focus Score hung2025attention quantifies how much the model is currently attending to the original instruction. In the figure, the green violin plots correspond to clean data, blue indicates Criteria Attack, and red denotes the Goal Hijacking baselines.
  • ...and 1 more figures