VII: Visual Instruction Injection for Jailbreaking Image-to-Video Generation Models

TL;DR

This work proposes Visual Instruction Injection (VII), a training-free and transferable jailbreaking framework that intentionally disguises the malicious intent of unsafe text prompts as benign visual instructions in the safe reference image, thereby inducing harmful content during I2V generation.

Abstract

Image-to-Video (I2V) generation models, which condition video generation on reference images, have shown emerging visual instruction-following capability, allowing certain visual cues in reference images to act as implicit control signals for video generation. However, this capability also introduces a previously overlooked risk: adversaries may exploit visual instructions to inject malicious intent through the image modality. In this work, we uncover this risk by proposing Visual Instruction Injection (VII), a training-free and transferable jailbreaking framework that intentionally disguises the malicious intent of unsafe text prompts as benign visual instructions in the safe reference image. Specifically, VII coordinates a Malicious Intent Reprogramming module to distill malicious intent from unsafe text prompts while minimizing their static harmfulness, and a Visual Instruction Grounding module to ground the distilled intent onto a safe input image by rendering visual instructions that preserve semantic consistency with the original unsafe text prompt, thereby inducing harmful content during I2V generation. Empirically, our extensive experiments on four state-of-the-art commercial I2V models (Kling-v2.5-turbo, Gemini Veo-3.1, Seedance-1.5-pro, and PixVerse-V5) demonstrate that VII achieves Attack Success Rates of up to 83.5% while reducing Refusal Rates to near zero, significantly outperforming existing baselines.

Figures (16)

• Figure 1: I2V model equipped with multi-modal safety mechanisms (e.g., visual and text-based safeguards) typically refuses or generates only safe content when (a): a safe image is paired with an unsafe text prompt, or (b): an unsafe image is paired with any text prompt. (c) The proposed VII successfully bypass multi-modal safety mechanisms and induces unsafe video generation.
• Figure 2: The framework of Visual Instruction Injection (VII). (a) Malicious Intention Reprogramming (MIR): distilling unsafe prompts into benign synonyms and reprogramming them into executable typographic descriptions. (b) Visual Instruction Grounding (VIG): grounding the distilled intent onto the safe image by rendering auxiliary visual symbols and embedding typographic descriptions. (c) I2V Generation: the I2V model interprets the visual instructions and dynamically reconstructs the malicious content.
• Figure 3: Visualization of generated videos. Our proposed VII method successfully jailbreaks the I2V models and produces harmful videos, whereas the Unsafe Text Prompt attack fails to jailbreak, resulting in benign generations.
• Figure 4: Hyperparameter analysis on Kling-v2.5-turbo (top row) and PixVerse-V5 (bottom row). Left column (language): Comparison of VII-EN (English), VII-CN (Chinese), and VII-JP (Japanese). Middle column (font): Comparison of VII-Arial, VII-Times (Times New Roman), and VII-Courier (Courier New). Right column (position): Comparison of VII-Border (Border Padding) and VII-Inner (Inner Inpainting). Visualizations of VII generated images under various configurations are in \ref{['sec:appendix_hyper_vis']}.
• Figure 5: Prefix-based defense.