VRSA: Jailbreaking Multimodal Large Language Models through Visual Reasoning Sequential Attack

TL;DR

This paper introduces VRSA, a novel attack method that exploits visual reasoning in multimodal large language models to induce harmful outputs by sequentially manipulating images, revealing new vulnerabilities in visual modalities.

Contribution

The paper proposes VRSA, a new sequential attack framework targeting visual reasoning in MLLMs, with techniques for scene refinement, semantic coherence, and consistency to improve attack success.

Findings

VRSA achieves higher attack success rates than existing methods.

The attack effectively exploits visual reasoning vulnerabilities in MLLMs.

Experimental results on GPT-4o and Claude-4.5-Sonnet demonstrate its effectiveness.

Abstract

Multimodal Large Language Models (MLLMs) are widely used in various fields due to their powerful cross-modal comprehension and generation capabilities. However, more modalities bring more vulnerabilities to being utilized for jailbreak attacks, which induces MLLMs to output harmful content. Due to the strong reasoning ability of MLLMs, previous jailbreak attacks try to explore reasoning safety risk in text modal, while similar threats have been largely overlooked in the visual modal. To fully evaluate potential safety risks in the visual reasoning task, we propose Visual Reasoning Sequential Attack (VRSA), which induces MLLMs to gradually externalize and aggregate complete harmful intent by decomposing the original harmful text into several sequentially related sub-images. In particular, to enhance the rationality of the scene in the image sequence, we propose Adaptive Scene Refinement to optimize the scene most relevant to the original harmful query. To ensure the semantic continuity of the generated image, we propose Semantic Coherent Completion to iteratively rewrite each sub-text combined with contextual information in this scene. In addition, we propose Text-Image Consistency Alignment to keep the semantical consistency. A series of experiments demonstrates that the VRSA can achieve a higher attack success rate compared with the state-of-the-art jailbreak attack methods on both the open-source and closed-source MLLMs such as GPT-4o and Claude-4.5-Sonnet.