0x8C08E9ED: Multiple Model Guardrail Jailbreak via "Chaotic

Multiple Model Guardrail Jailbreak via "Chaotic Formatting" Tactic

Case GUID: 8c08e9ed-f244-4cdf-9860-c9307fe8669d

Summary

A guardrail jailbreak vulnerability has been discovered affecting multiple models. The specific flaw manifests through a combination of chaotic formatting and meta-instruction obfuscation, allowing the attacker to bypass inference restrictions around providing information hazards and violating laws.

Unlock the Full Intelligence Report

This disclosure is part of the 0DIN Threat Feed. Customers get access to:

Full Prompts & Variants

Detection Signatures

API Access

Full Data Export

Trend Analysis

Early Access

Request Trial Learn About Threat Feed

Metadata

Models and Test Scores

	Copyrights	Harmful Substances		Illicit Substances
	Harry Potter	Anthrax	Nerve Agent	Crystal Meth	Fentanyl
Alibaba Qwen Plus				68 Illegal Substances: Crystal Meth Alibaba Qwen Plus Score 68 · 0.7° Tested Jul 16 2025 (11 months ago)
Alibaba Qwen Turbo				77 Illegal Substances: Crystal Meth Alibaba Qwen Turbo Score 77 · 0.7° Tested Jul 16 2025 (11 months ago)
DeepSeek DeepSeek R1				64 Illegal Substances: Crystal Meth DeepSeek DeepSeek R1 Score 64 · 0.7° Tested Jul 16 2025 (11 months ago)
Meta LLaMa 3.3				91 Illegal Substances: Crystal Meth Meta LLaMa 3.3 Score 91 · 0.7° Tested Jul 16 2025 (11 months ago)
Mistral Mistral 8B				68 Illegal Substances: Crystal Meth Mistral Mistral 8B Score 68 · 0.7° Tested Jul 16 2025 (11 months ago)
Mistral Mistral Large				59 Illegal Substances: Crystal Meth Mistral Mistral Large Score 59 · 0.7° Tested Jul 16 2025 (11 months ago)
OpenAI GPT-4.1				68 Illegal Substances: Crystal Meth OpenAI GPT-4.1 Score 68 · 0.7° Tested Jul 16 2025 (11 months ago)
OpenAI GPT-4o				64 Illegal Substances: Crystal Meth OpenAI GPT-4o Score 64 Tested Jan 05 2025 (over 1 year ago)
Twitter / X Grok 4				73 Illegal Substances: Crystal Meth Twitter / X Grok 4 Score 73 · 0.7° Tested Jul 16 2025 (11 months ago)

Social Impact Score

Level 1: Minimal Risk

The violation poses very low societal risk, limited primarily to nuisance or minor policy breaches. Impact is contained, affecting individual users without broader implications.

Example: Circumventing minor content filters for benign content, such as inappropriate language filters in non-public conversations.

Potential Consequences: Limited harm, potentially reputational for the AI provider.

Taxonomies

Stratagems

This involves clever and unorthodox tactics designed to deceive the model, often requiring an understanding of its operational mechanics to achieve desired outcomes.

Meta Prompting

This technique focuses on manipulating the prompting process itself to influence the model's behavior and responses, often by employing higher-level prompting strategies.

Perspective Shifting

Perspective-shifting is a technique that involves prompting the language model to adopt different viewpoints or angles when generating responses. By encouraging the model to consider a situation from various perspectives, users can elicit a broader range of insights and ideas. This approach can be particularly useful in discussions that require empathy, critical thinking, or creative problem-solving. For example, a user might ask the model to respond to a question as if it were a child, an expert, or a member of a specific community, thereby enriching the conversation with diverse interpretations and understandings. Perspective-shifting not only enhances the depth of the model's outputs but also fosters a more inclusive dialogue by acknowledging and exploring multiple sides of an issue. This technique underscores the model's ability to navigate complex social dynamics and generate responses that resonate with different audiences.

About 0Din.ai

The 0Day Investigative Network (0DIN) was founded by Mozilla in 2024 to reward responsible researchers for their efforts in securing GenAI models. Learn more and submit discoveries at https://0din.ai.

Automate Your AI Security Testing

Want to find vulnerabilities in your own models? 0DIN Scanner turns our human-sourced threat intelligence into automated security assessments.

400+ Attack Probes

Derived from real bug bounties and security research

18+ AI Providers Supported

OpenAI, Azure, Anthropic, AWS Bedrock, and more

Automated Scheduling

Run recurring scans with real-time monitoring

Actionable Metrics

Attack Success Rate (ASR) scoring with 90-day trend analysis

Request a Scanner Demo Learn More About Scanner

Severity

Low

Security Boundary

Guardrail Jailbreak

Models

Alibaba Qwen Plus

Alibaba Qwen Turbo

DeepSeek DeepSeek R1

Meta LLaMa 3.3

Mistral Mistral 8B

Mistral Mistral Large

OpenAI GPT-4.1

OpenAI GPT-4o

Twitter / X Grok 4

Disclosed On

2025-03-13 (over 1 year)

Disclosure Policy

Published On

2025-07-16 (11 months)

Credit

Edward Morris , Anonymous