Jailbreaks on Vision Language Model via Multimodal Reasoning
Aarush Noheria, Yuguang Yao
TL;DR
Vision-language models exhibit safety fragility due to the modality gap between vision and language. The authors propose a unified, ReAct-driven jailbreak that jointly rewrites prompts and adaptively perturbs images via a Thought–Action–Observation loop, leveraging model feedback to evade safety filters. They introduce a black-box auditing mechanism based on internal reasoning traces and dynamic image filtering strategies to maximize attack success rates. Experiments on VLGuard and SPA-VL with Gemini-2.0-Flash demonstrate higher ASR than baselines, signaling significant safety vulnerabilities and prompting the need for stronger multimodal defenses.
Abstract
Vision-language models (VLMs) have become central to tasks such as visual question answering, image captioning, and text-to-image generation. However, their outputs are highly sensitive to prompt variations, which can reveal vulnerabilities in safety alignment. In this work, we present a jailbreak framework that exploits post-training Chain-of-Thought (CoT) prompting to construct stealthy prompts capable of bypassing safety filters. To further increase attack success rates (ASR), we propose a ReAct-driven adaptive noising mechanism that iteratively perturbs input images based on model feedback. This approach leverages the ReAct paradigm to refine adversarial noise in regions most likely to activate safety defenses, thereby enhancing stealth and evasion. Experimental results demonstrate that the proposed dual-strategy significantly improves ASR while maintaining naturalness in both text and visual domains.
