SPARK: Jailbreaking T2V Models by Synergistically Prompting Auditory and Recontextualized Knowledge

TL;DR

This paper introduces SPARK, a novel prompt-based attack method that exploits cross-modal associations to generate unsafe videos from benign prompts, revealing vulnerabilities in text-to-video models.

Contribution

SPARK leverages a modular prompt design combining scene anchors, auditory triggers, and stylistic modulators to effectively jailbreak T2V models using implicit cues.

Findings

Achieved +23% success rate in attacking 7 T2V models.

Demonstrated stealthy prompts can induce unsafe content.

Validated effectiveness across multiple commercial models.

Abstract

Jailbreak attacks can circumvent model safety guardrails and reveal critical blind spots. Prior attacks on text-to-video (T2V) models typically add adversarial perturbations to obviously unsafe prompts, which are often easy to detect and defend. In contrast, we show that benign-looking prompts containing rich, implicit cues can induce T2V models to generate semantically unsafe videos that both violate policy and preserve the original (blocked) intent. To realize this, we propose SPARK, a jailbreak framework that leverages T2V models cross-modal associative patterns via a modular prompt design. Specifically, our prompts combine three components: neutral scene anchors, which provide the surface-level scene description extracted from the blocked intent to maintain plausibility; latent auditory triggers, textual descriptions of innocuous-sounding audio events (e.g., creaking, muffled noises) that exploit learned audio-visual co-occurrence priors to bias the model toward particular unsafe visual concepts; and stylistic modulators, cinematic directives (e.g., camera framing, atmosphere) that amplify and stabilize the latent trigger's effect. We formalize attack generation as a constrained optimization over the above modular prompt space and solve it with a guided search procedure that balances stealth and effectiveness. Extensive experiments over 7 T2V models demonstrate the efficacy of our attack, achieving a +23% improvement in average attack success rate in commercial models.