Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Two Frames Matter: A Temporal Attack for Text-to-Video Model Jailbreaking

Moyang Chen, Zonghao Ying, Wenzhuo Xu, Quancheng Zou, Deyue Zhang, Dongdong Yang, Xiangzheng Zhang

TL;DR

A temporal trajectory infilling vulnerability of T2V systems under fragmented prompts is identified: when the prompt specifies only sparse boundary conditions and leaves the intermediate evolution underspecified, the model may autonomously reconstruct a plausible trajectory that includes harmful intermediate frames, despite the prompt appearing benign to input or output side filtering.

Abstract

Recent text-to-video (T2V) models can synthesize complex videos from lightweight natural language prompts, raising urgent concerns about safety alignment in the event of misuse in the real world. Prior jailbreak attacks typically rewrite unsafe prompts into paraphrases that evade content filters while preserving meaning. Yet, these approaches often still retain explicit sensitive cues in the input text and therefore overlook a more profound, video-specific weakness. In this paper, we identify a temporal trajectory infilling vulnerability of T2V systems under fragmented prompts: when the prompt specifies only sparse boundary conditions (e.g., start and end frames) and leaves the intermediate evolution underspecified, the model may autonomously reconstruct a plausible trajectory that includes harmful intermediate frames, despite the prompt appearing benign to input or output side filtering. Building on this observation, we propose TFM. This fragmented prompting framework converts an originally unsafe request into a temporally sparse two-frame extraction and further reduces overtly sensitive cues via implicit substitution. Extensive evaluations across multiple open-source and commercial T2V models demonstrate that TFM consistently enhances jailbreak effectiveness, achieving up to a 12% increase in attack success rate on commercial systems. Our findings highlight the need for temporally aware safety mechanisms that account for model-driven completion beyond prompt surface form.

Two Frames Matter: A Temporal Attack for Text-to-Video Model Jailbreaking

TL;DR

A temporal trajectory infilling vulnerability of T2V systems under fragmented prompts is identified: when the prompt specifies only sparse boundary conditions and leaves the intermediate evolution underspecified, the model may autonomously reconstruct a plausible trajectory that includes harmful intermediate frames, despite the prompt appearing benign to input or output side filtering.

Abstract

Recent text-to-video (T2V) models can synthesize complex videos from lightweight natural language prompts, raising urgent concerns about safety alignment in the event of misuse in the real world. Prior jailbreak attacks typically rewrite unsafe prompts into paraphrases that evade content filters while preserving meaning. Yet, these approaches often still retain explicit sensitive cues in the input text and therefore overlook a more profound, video-specific weakness. In this paper, we identify a temporal trajectory infilling vulnerability of T2V systems under fragmented prompts: when the prompt specifies only sparse boundary conditions (e.g., start and end frames) and leaves the intermediate evolution underspecified, the model may autonomously reconstruct a plausible trajectory that includes harmful intermediate frames, despite the prompt appearing benign to input or output side filtering. Building on this observation, we propose TFM. This fragmented prompting framework converts an originally unsafe request into a temporally sparse two-frame extraction and further reduces overtly sensitive cues via implicit substitution. Extensive evaluations across multiple open-source and commercial T2V models demonstrate that TFM consistently enhances jailbreak effectiveness, achieving up to a 12% increase in attack success rate on commercial systems. Our findings highlight the need for temporally aware safety mechanisms that account for model-driven completion beyond prompt surface form.
Paper Structure (31 sections, 20 equations, 3 figures, 4 tables, 1 algorithm)

This paper contains 31 sections, 20 equations, 3 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Jailbreaking against Text-to-Video System
  4. Safety Alignment in Text-to-Video Generation
  5. Problem Formulation
  6. Text-to-Video Generative System
  7. Threat Model
  8. Methodology
  9. Temporal Boundary Prompting
  10. Boundary operator.
  11. Covert Substitution Mechanism
  12. Sensitive Words Characterization.
  13. Words Implicitization Operator.
  14. Combined Pipeline
  15. Vulnerability Analysis
  16. ...and 16 more sections

Figures (3)

  • Figure 1: Illustration of our proposal effect on T2V system.
  • Figure 2: Overview of the proposed TFM framework. TFM consists of two LLM-guided stages: (1) Temporal Boundary Prompting (TBP), which enforces sparsity by retaining only boundary frames, and (2) Covert Substitution Mechanism (CSM), which implicitly rewrites sensitive content while preserving semantic intent.
  • Figure 3: Ablation results across four target models under different variants.