Skip to main content

X.ai Grok 2/3 Guardrail Jailbreak via "Chaotic Formatting" Tactic

Case GUID: 878a8b17-8a77-4493-9b2a-9856254785af

Summary

A guardrail jailbreak vulnerability has been discovered affecting Grok versions 2 and 3 from X.ai. The specific flaw manifests through a combination of nested directive confusion, character padding obfuscation, and embedded copyright violation requests, thereby allowing the attacker to bypass inference restrictions around providing copyrighted content and violating laws.

Unlock the Full Intelligence Report

This disclosure is part of the 0DIN Threat Feed. Customers get access to:

Full Prompts & Variants
Detection Signatures
API Access
Full Data Export
Trend Analysis
Early Access

Metadata

Models and Test Scores

Copyrights Harmful Substances Illicit Substances
Harry Potter Anthrax Nerve Agent Crystal Meth Fentanyl
Twitter / X logo Twitter / X Grok 3
Select a cell to view details.

Social Impact Score

Level 2: Moderate Risk

The violation has a moderate social impact, potentially involving misinformation or low-stakes safety risks, which could mislead users or increase risks if used irresponsibly.

Example: Model generating content that could be misinterpreted as medical advice, bypassing filters to generate mildly sensitive information like dosage amounts for common medications without full context. Leakage of private personal data such as cell phone number.

Potential Consequences: Could lead to individual harm or liability for the provider, prompting policy review and potentially mild regulatory concern.

Taxonomies

Language
This category focuses on the use of specific linguistic techniques, such as prompt injection or stylization, to influence the model's output.
Code and Encode
This strategy encompasses techniques that utilize various coding methods, such as Base64 or ROT13, to bypass model restrictions and manipulate outputs.
Chaff
Chaff is a technique employed by attackers to obfuscate keywords that might trigger a language model's guardrails. By injecting random characters, such as newline characters, spaces, or other tokens, into critical keywords, the attacker aims to bypass content filters while maintaining the underlying intent of the message. This method leverages the language model's ability to parse and understand fragmented input, allowing the attacker to subtly manipulate the model's response without overtly triggering its defensive mechanisms. Chaff exemplifies the nuanced interplay between linguistic creativity and technical evasion.
Stratagems
This involves clever and unorthodox tactics designed to deceive the model, often requiring an understanding of its operational mechanics to achieve desired outcomes.
Meta Prompting
This technique focuses on manipulating the prompting process itself to influence the model's behavior and responses, often by employing higher-level prompting strategies.
Deceptive Formatting
A prompt injection in the most pure sense, formatting the user prompt to fabricate the appearance of system instructions, a database query, its own prediction, or some other source of input a guard railed AI system might be expecting, causing it to behave in insecure ways based on the fabricated context from an adversarially formatted user prompt.

About 0Din.ai

The 0Day Investigative Network (0DIN) was founded by Mozilla in 2024 to reward responsible researchers for their efforts in securing GenAI models. Learn more and submit discoveries at https://0din.ai.

Automate Your AI Security Testing

Want to find vulnerabilities in your own models? 0DIN Scanner turns our human-sourced threat intelligence into automated security assessments.

400+ Attack Probes

Derived from real bug bounties and security research

18+ AI Providers Supported

OpenAI, Azure, Anthropic, AWS Bedrock, and more

Automated Scheduling

Run recurring scans with real-time monitoring

Actionable Metrics

Attack Success Rate (ASR) scoring with 90-day trend analysis

Severity

Low

Security Boundary

Guardrail Jailbreak

Models

Twitter / X logo Twitter / X Grok 2
Twitter / X logo Twitter / X Grok 3

Disclosed On

2025-07-21 (12 months)

Disclosure Policy

Published On

2026-07-10 (about 3 hours)

Credit

Anonymous, Haris Umair