Two Frames Matter: A Temporal Attack for Text-to-Video Model Jailbreaking

TL;DR

This paper uncovers a temporal vulnerability in text-to-video models where sparse prompts can lead to harmful intermediate frames, and proposes a method to exploit this weakness, highlighting the need for temporally aware safety measures.

Contribution

The paper identifies a novel temporal trajectory infilling vulnerability in T2V models and introduces TFM, a framework that enhances jailbreak success by exploiting this weakness.

Findings

TFM increases attack success rate by up to 12% on commercial T2V models.

Temporal prompts can cause models to generate harmful intermediate frames.

Existing safety measures overlook temporal completion vulnerabilities.

Abstract

Recent text-to-video (T2V) models can synthesize complex videos from lightweight natural language prompts, raising urgent concerns about safety alignment in the event of misuse in the real world. Prior jailbreak attacks typically rewrite unsafe prompts into paraphrases that evade content filters while preserving meaning. Yet, these approaches often still retain explicit sensitive cues in the input text and therefore overlook a more profound, video-specific weakness. In this paper, we identify a temporal trajectory infilling vulnerability of T2V systems under fragmented prompts: when the prompt specifies only sparse boundary conditions (e.g., start and end frames) and leaves the intermediate evolution underspecified, the model may autonomously reconstruct a plausible trajectory that includes harmful intermediate frames, despite the prompt appearing benign to input or output side filtering. Building on this observation, we propose TFM. This fragmented prompting framework converts an originally unsafe request into a temporally sparse two-frame extraction and further reduces overtly sensitive cues via implicit substitution. Extensive evaluations across multiple open-source and commercial T2V models demonstrate that TFM consistently enhances jailbreak effectiveness, achieving up to a 12% increase in attack success rate on commercial systems. Our findings highlight the need for temporally aware safety mechanisms that account for model-driven completion beyond prompt surface form.