# The Resurgence of GCG Adversarial Attacks on Large Language Models

**Authors:** Yuting Tan, Xuying Li, Zhuo Li, Huizhen Shu, and Peikang Hu

arXiv: 2509.00391 · 2025-09-03

## TL;DR

This paper systematically evaluates gradient-based adversarial attacks on large language models, revealing vulnerabilities especially in reasoning tasks and highlighting the limitations of current methods like GCG and T-GCG.

## Contribution

It provides a comprehensive analysis of GCG and T-GCG attacks across various LLMs, exposing vulnerabilities and limitations in current adversarial evaluation methods.

## Key findings

- Attack success rates decrease with larger models.
- Prefix heuristics overestimate attack effectiveness.
- Reasoning prompts are more vulnerable than safety prompts.

## Abstract

Gradient-based adversarial prompting, such as the Greedy Coordinate Gradient (GCG) algorithm, has emerged as a powerful method for jailbreaking large language models (LLMs). In this paper, we present a systematic appraisal of GCG and its annealing-augmented variant, T-GCG, across open-source LLMs of varying scales. Using Qwen2.5-0.5B, LLaMA-3.2-1B, and GPT-OSS-20B, we evaluate attack effectiveness on both safety-oriented prompts (AdvBench) and reasoning-intensive coding prompts. Our study reveals three key findings: (1) attack success rates (ASR) decrease with model size, reflecting the increasing complexity and non-convexity of larger models' loss landscapes; (2) prefix-based heuristics substantially overestimate attack effectiveness compared to GPT-4o semantic judgments, which provide a stricter and more realistic evaluation; and (3) coding-related prompts are significantly more vulnerable than adversarial safety prompts, suggesting that reasoning itself can be exploited as an attack vector. In addition, preliminary results with T-GCG show that simulated annealing can diversify adversarial search and achieve competitive ASR under prefix evaluation, though its benefits under semantic judgment remain limited. Together, these findings highlight the scalability limits of GCG, expose overlooked vulnerabilities in reasoning tasks, and motivate further development of annealing-inspired strategies for more robust adversarial evaluation.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/2509.00391/full.md

## Figures

5 figures with captions in the complete paper: https://tomesphere.com/paper/2509.00391/full.md

## References

41 references — full list in the complete paper: https://tomesphere.com/paper/2509.00391/full.md

---
Source: https://tomesphere.com/paper/2509.00391