Re-Mask and Redirect: Exploiting Denoising Irreversibility in Diffusion Language Models

TL;DR

This paper introduces TrajHijack, a novel trajectory-level attack on diffusion language models that exploits irreversibility in token masking and prefixing, revealing significant vulnerabilities in safety alignment defenses.

Contribution

It is the first trajectory-level attack on dLLMs, demonstrating how re-masking and prefixing can bypass safety measures without gradient computation.

Findings

Re-masking and prefixing together achieve 74-82% ASR on HarmBench.

Gradient optimization reduces attack success rate, indicating continuous perturbations are less effective.

A2D defense is more vulnerable to TrajHijack than undefended models, due to the Defense Inversion Effect.

Abstract

Safety alignment in diffusion language models (dLLMs) relies on a single load-bearing assumption: that committed tokens are permanent. We show that violating this assumption, by re-masking committed refusal tokens and injecting a short affirmative prefix, achieves 74-82% ASR on HarmBench across all three publicly available safety-tuned dLLMs, rising to 92-98% with a generic 8-token compliance prefix. We call this attack TrajHijack; it is the first trajectory-level attack on dLLMs, requires no gradient computation, and generalizes across SFT and preference-optimized (VRPO) models. Three findings emerge. First, the vulnerability is irreducibly two-component: re-masking alone (4.4%) and prefix alone (5.7%) both fail. Second, gradient optimization via a differentiable Gumbel-softmax chain consistently degrades ASR (41.5% vs. 76.1%), because continuous perturbations push token distributions off-manifold. Third, A2D (the strongest published dLLM defense) is more vulnerable to TrajHijack (89.9%) than the undefended model (76.1%): its silent-refusal training removes the contextual resistance that trajectory-level attacks must overcome, an effect we call the Defense Inversion Effect.