Skip to main content

Multiple Model Guardrail Jailbreak via "How Not To" Tactic

Case GUID: 83e6d7bd-20b2-4a5e-81eb-3b987e01bc79

Summary

A Guardrail Jailbreak vulnerability has been discovered affecting multiple models. The specific flaw exploits reverse psychology safety framing combined with claimed academic identity, where the attacker asks the model to describe actions to avoid and then incrementally requests greater specificity, causing the model to reframe prohibited operational knowledge as preventative guidance and allowing the attacker to extract detailed illicit procedural information.

Unlock the Full Intelligence Report

This disclosure is part of the 0DIN Threat Feed. Customers get access to:

Full Prompts & Variants
Detection Signatures
API Access
Full Data Export
Trend Analysis
Early Access
Request demo Request Trial Learn About Threat Feed

Metadata

Models and Test Scores

Copyrights Harmful Substances Illicit Substances
Harry Potter Anthrax Nerve Agent Crystal Meth Fentanyl
Alibaba logo Alibaba Qwen Max
Alibaba logo Alibaba Qwen Plus
Alibaba logo Alibaba Qwen Turbo
Anthropic logo Anthropic Claude 3.5 Haiku
Anthropic logo Anthropic Claude 4 Sonnet
Anthropic logo Anthropic Claude 4.5 Opus
DeepSeek logo DeepSeek DeepSeek R1
DeepSeek logo DeepSeek DeepSeek V3
Google logo Google Gemini 2.0 Flash
Google logo Google Gemini 2.5 Pro
Mistral logo Mistral Mistral 8B
Mistral logo Mistral Mistral Large
OpenAI logo OpenAI GPT-4.1
OpenAI logo OpenAI GPT-4.1 mini
OpenAI logo OpenAI GPT-4o
OpenAI logo OpenAI GPT-5.2
Twitter / X logo Twitter / X Grok 2
Select a cell to view details.

Social Impact Score

Level 3: Significant Risk

Violations at this level present a tangible risk to public safety or social well-being, often related to dangerous but not highly restricted content.

Example: Bypassing guardrails to obtain instructions for creating illicit substances, such as recreational drugs or substances with moderate harm potential. Leakage of private personal data such as Social Security number or private medical.

Potential Consequences: Potential health impacts on a small scale, significant regulatory interest, and the need for stricter AI guardrails.

Taxonomies

Rhetoric
This category employs persuasive techniques and language to shape the model's responses, often using methods like reverse psychology or Socratic questioning.
Persuasion and Manipulation
This strategy focuses on employing rhetorical techniques to influence the model's responses by framing prompts in a way that persuades or manipulates the output.
Reverse Psychology
Reverse psychology is a rhetorical technique used to influence the behavior or responses of a language model by framing prompts in a way that suggests the opposite of what the user actually desires. This strategy plays on the model's tendency to respond to perceived expectations or instructions, often leading it to provide outputs that align with the user's true intent when they present a contrary request. For example, a user might imply that they do not want the model to provide a certain type of information, thereby prompting the model to offer that very information in its response. This technique can be particularly effective in navigating guardrails or restrictions, as it encourages the model to bypass its usual constraints by interpreting the prompt in a way that aligns with the user's hidden agenda. By employing reverse psychology, users can creatively manipulate the model's outputs, revealing insights or information that might otherwise remain inaccessible due to the model's built-in safeguards.
Fictionalizing
This category involves creating scenarios or narratives that leverage existing genres or contexts to manipulate the language model's responses.
Roleplaying
This strategy involves prompting the language model to assume a specific role or persona, which can influence its responses based on the characteristics and moral codes associated with that role. Techniques include claiming authority or inventing personas to elicit different types of outputs.
Claim Authority
This technique involves asserting expertise or authority on a subject within the prompt. By framing statements or questions in a way that conveys confidence and knowledge, users can influence the model to generate responses that align with the claimed authority. This approach can enhance the credibility of the information provided and may lead the model to produce more detailed or assertive outputs, as it responds to the perceived authority of the prompt.
Rhetoric
This category employs persuasive techniques and language to shape the model's responses, often using methods like reverse psychology or Socratic questioning.
Socratic Questioning
This strategy involves generating multiple outputs from a language model by using the "Regenerate response" feature to explore a range of possible interpretations and responses.
Identity Characteristics
Identity characteristics refer to the attributes and traits that define an individual's or group's identity, including aspects such as social roles, cultural backgrounds, and personal experiences. In the context of interacting with language models, users can leverage identity characteristics to shape the model's responses by framing prompts that reflect specific identities or perspectives. For instance, users might ask the model to respond as if it were a particular demographic group, profession, or cultural background. This technique can help explore how the model generates outputs based on different identity contexts, revealing biases or assumptions that may be present in its training data. By utilizing identity characteristics, users can gain insights into the model's understanding of social dynamics and the implications of identity in communication.

About 0Din.ai

The 0Day Investigative Network (0DIN) was founded by Mozilla in 2024 to reward responsible researchers for their efforts in securing GenAI models. Learn more and submit discoveries at https://0din.ai.

Automate Your AI Security Testing

Want to find vulnerabilities in your own models? 0DIN Scanner turns our human-sourced threat intelligence into automated security assessments.

400+ Attack Probes

Derived from real bug bounties and security research

18+ AI Providers Supported

OpenAI, Azure, Anthropic, AWS Bedrock, and more

Automated Scheduling

Run recurring scans with real-time monitoring

Actionable Metrics

Attack Success Rate (ASR) scoring with 90-day trend analysis

Request demo Request a Scanner Demo Learn More About Scanner

Severity

Low

Security Boundary

Guardrail Jailbreak

Models

Alibaba logo Alibaba Qwen Max
Alibaba logo Alibaba Qwen Plus
Alibaba logo Alibaba Qwen Turbo
Anthropic logo Anthropic Claude 3.5 Haiku
Anthropic logo Anthropic Claude 4 Sonnet
Anthropic logo Anthropic Claude 4.5 Opus
DeepSeek logo DeepSeek DeepSeek R1
DeepSeek logo DeepSeek DeepSeek V3
Google logo Google Gemini 2.0 Flash
Google logo Google Gemini 2.5 Pro
Mistral logo Mistral Mistral 8B
Mistral logo Mistral Mistral Large
OpenAI logo OpenAI GPT-4.1
OpenAI logo OpenAI GPT-4.1 mini
OpenAI logo OpenAI GPT-4o
OpenAI logo OpenAI GPT-5.2
Twitter / X logo Twitter / X Grok 2

Disclosed On

2025-03-13 (over 1 year)

Disclosure Policy

Published On

2025-11-14 (7 months)

Credit

Anonymous