Safer by Diffusion, Broken by Context: Diffusion LLM's Safety Blessing and Its Failure Mode

TL;DR

Diffusion large language models (D-LLMs) are inherently more robust against jailbreak attacks due to their generation process, but simple context nesting strategies can bypass this safety feature, revealing critical vulnerabilities.

Contribution

This work analyzes the safety benefits of D-LLMs' diffusion process and uncovers a simple context nesting attack that can bypass their safety mechanisms.

Findings

Diffusion trajectory induces a stepwise reduction suppressing unsafe outputs.

Context nesting can bypass D-LLMs' safety, achieving high attack success rates.

First successful jailbreak of Gemini Diffusion exposes a critical vulnerability.

Abstract

Diffusion large language models (D-LLMs) offer an alternative to autoregressive LLMs (AR-LLMs) and have demonstrated advantages in generation efficiency. Beyond the utility benefits, we argue that D-LLMs exhibit a previously underexplored safety blessing: their diffusion-style generation confers intrinsic robustness against jailbreak attacks originally designed for AR-LLMs. In this work, we provide an initial analysis of the underlying mechanism, showing that the diffusion trajectory induces a stepwise reduction effect that progressively suppresses unsafe generations. This robustness, however, is not absolute. Following this analysis, we highlight a simple yet effective failure mode, context nesting, in which harmful requests are embedded within structured benign contexts. Empirically, we show that this simple black-box strategy bypasses D-LLMs' safety blessing, achieving state-of-the-art attack success rates across models and benchmarks. Notably, it enables the first successful jailbreak of Gemini Diffusion to our knowledge, exposing a critical vulnerability in proprietary D-LLMs. Together, our results characterize both the origins and the limits of D-LLMs' safety blessing, constituting an early-stage red-teaming of D-LLMs.