Jailbreaks on Vision Language Model via Multimodal Reasoning

TL;DR

This paper introduces a novel jailbreak framework for vision-language models that uses Chain-of-Thought prompts and adaptive noising to bypass safety filters, revealing vulnerabilities in model safety alignment.

Contribution

It proposes a dual-strategy attack combining CoT prompting and ReAct-driven adaptive noising to improve jailbreak success rates against VLMs.

Findings

Significantly increased attack success rates.

Maintained naturalness in adversarial prompts.

Effective in bypassing safety filters.

Abstract

Vision-language models (VLMs) have become central to tasks such as visual question answering, image captioning, and text-to-image generation. However, their outputs are highly sensitive to prompt variations, which can reveal vulnerabilities in safety alignment. In this work, we present a jailbreak framework that exploits post-training Chain-of-Thought (CoT) prompting to construct stealthy prompts capable of bypassing safety filters. To further increase attack success rates (ASR), we propose a ReAct-driven adaptive noising mechanism that iteratively perturbs input images based on model feedback. This approach leverages the ReAct paradigm to refine adversarial noise in regions most likely to activate safety defenses, thereby enhancing stealth and evasion. Experimental results demonstrate that the proposed dual-strategy significantly improves ASR while maintaining naturalness in both text and visual domains.