Low-Effort Jailbreak Attacks Against Text-to-Image Safety Filters

TL;DR

This paper reveals that current text-to-image safety filters are vulnerable to simple, prompt-based jailbreak attacks that can bypass safeguards with high success rates, exposing a gap in semantic understanding.

Contribution

The authors systematically categorize and evaluate low-effort prompt-based jailbreak techniques that bypass safety filters in state-of-the-art text-to-image models.

Findings

Attack success rate up to 74.47% across models

Simple linguistic modifications can reliably evade safeguards

Proposed taxonomy of visual jailbreak strategies

Abstract

Text-to-image generative models are widely deployed in creative tools and online platforms. To mitigate misuse, these systems rely on safety filters and moderation pipelines that aim to block harmful or policy violating content. In this work we show that modern text-to-image models remain vulnerable to low-effort jailbreak attacks that require only natural language prompts. We present a systematic study of prompt-based strategies that bypass safety filters without model access, optimization, or adversarial training. We introduce a taxonomy of visual jailbreak techniques including artistic reframing, material substitution, pseudo-educational framing, lifestyle aesthetic camouflage, and ambiguous action substitution. These strategies exploit weaknesses in prompt moderation and visual safety filtering by masking unsafe intent within benign semantic contexts. We evaluate these attacks across several state-of-the-art text-to-image systems and demonstrate that simple linguistic modifications can reliably evade existing safeguards and produce restricted imagery. Our findings highlight a critical gap between surface-level prompt filtering and the semantic understanding required to detect adversarial intent in generative media systems. Across all tested models and attack categories we observe an attack success rate (ASR) of up to 74.47%.