Do Methods to Jailbreak and Defend LLMs Generalize Across Languages?

TL;DR

This study evaluates how jailbreak attacks and defenses on large language models perform across ten different languages, revealing significant variability influenced by language resource levels and attack types.

Contribution

It provides the first systematic multilingual assessment of jailbreaks and defenses, highlighting the need for language-aware safety benchmarks for LLMs.

Findings

High-resource languages are safer under standard queries.

Adversarial attacks are more effective in high-resource languages.

Simple defenses vary in effectiveness depending on language and model.

Abstract

Large language models (LLMs) undergo safety alignment after training and tuning, yet recent work shows that safety can be bypassed through jailbreak attacks. While many jailbreaks and defenses exist, their cross-lingual generalization remains underexplored. This paper presents the first systematic multilingual evaluation of jailbreaks and defenses across ten languages -- spanning high-, medium-, and low-resource languages -- using six LLMs on HarmBench and AdvBench. We assess two jailbreak types: logical-expression-based and adversarial-prompt-based. For both types, attack success and defense robustness vary across languages: high-resource languages are safer under standard queries but more vulnerable to adversarial ones. Simple defenses can be effective, but are language- and model-dependent. These findings call for language-aware and cross-lingual safety benchmarks for LLMs.