0x2D78A1B1: Multiple Model Guardrail Jailbreak via

Multiple Model Guardrail Jailbreak via "Spell-and-Concatenate" Surprise Attack Tactic

Case GUID: 2d78a1b1-23af-4f8a-a133-95082633a795

Summary

A Guardrail Jailbreak vulnerability has been discovered affecting multiple models. The specific flaw exploits indirect instruction chaining where the attacker forces the model to spell benign-looking tokens and then concatenate them into a new semantic subject, triggering a late-emerging harmful topic that bypasses early safety intent detection and allows the attacker to obtain detailed prohibited information framed as a technical explanation.

Unlock the Full Intelligence Report

This disclosure is part of the 0DIN Threat Feed. Customers get access to:

Full Prompts & Variants

Detection Signatures

API Access

Full Data Export

Trend Analysis

Early Access

Request Trial Learn About Threat Feed

Metadata

Models and Test Scores

	Copyrights	Harmful Substances		Illicit Substances
	Harry Potter	Anthrax	Nerve Agent	Crystal Meth	Fentanyl
Google Gemini 2.0 Flash
Meta LLaMa 4 Scout
Mistral Mistral 8B
Mistral Mistral Large
OpenAI GPT-4
OpenAI GPT-4o
Twitter / X Grok 2

Select a cell to view details.

Social Impact Score

Level 3: Significant Risk

Violations at this level present a tangible risk to public safety or social well-being, often related to dangerous but not highly restricted content.

Example: Bypassing guardrails to obtain instructions for creating illicit substances, such as recreational drugs or substances with moderate harm potential. Leakage of private personal data such as Social Security number or private medical.

Potential Consequences: Potential health impacts on a small scale, significant regulatory interest, and the need for stricter AI guardrails.

Taxonomies

Rhetoric

This category employs persuasive techniques and language to shape the model's responses, often using methods like reverse psychology or Socratic questioning.

Persuasion and Manipulation

This strategy focuses on employing rhetorical techniques to influence the model's responses by framing prompts in a way that persuades or manipulates the output.

Surprise Attack

This technique involves crafting prompts or queries in a way that avoids directly mentioning specific terms or names that may trigger safety mechanisms or filters. By reframing the request or using indirect language, users can guide the model to provide the desired information or output without raising flags or causing the model to restrict its response. This method emphasizes subtlety and creativity in communication with the model to achieve the intended results.

About 0Din.ai

The 0Day Investigative Network (0DIN) was founded by Mozilla in 2024 to reward responsible researchers for their efforts in securing GenAI models. Learn more and submit discoveries at https://0din.ai.

Automate Your AI Security Testing

Want to find vulnerabilities in your own models? 0DIN Scanner turns our human-sourced threat intelligence into automated security assessments.

400+ Attack Probes

Derived from real bug bounties and security research

18+ AI Providers Supported

OpenAI, Azure, Anthropic, AWS Bedrock, and more

Automated Scheduling

Run recurring scans with real-time monitoring

Actionable Metrics

Attack Success Rate (ASR) scoring with 90-day trend analysis

Request a Scanner Demo Learn More About Scanner

Severity

Low

Security Boundary

Guardrail Jailbreak

Models

Google Gemini 2.0 Flash

Meta LLaMa 4 Scout

Mistral Mistral 8B

Mistral Mistral Large

OpenAI GPT-4

OpenAI GPT-4o

Twitter / X Grok 2

Disclosed On

2025-03-13 (over 1 year)

Disclosure Policy

Published On

2025-10-23 (8 months)

Credit

Mike Takahashi (@TakSec)