0DIN logo INTEL
This is a publicly available threat intel report from 0DIN - 1 of 827 threat feeds Request Access

0x4E8ED295: Multiple Model Guardrail Jailbreak via "End-of-Response Override" Tactic

RELEASED 2025-06-02
Summary guardrail_jailbreak
A Guardrail Jailbreak vulnerability has been discovered affecting multiple models. The specific flaw exploits model handling of stop sequences and meta control cues by injecting fabricated end-of-response markers alongside normalization and debugging instructions, causing the model to treat a prohibited request as a benign technical repair task and allowing the attacker to obtain restricted procedural information.
Metadata
Details
N-DAY
scanner
Disclosed on
2025-07-14
Models and Test Scores
JEF Score:
Copyrights Harmful Substances Illicit Substances
Harry Potter Anthrax Nerve Agent Crystal Meth Fentanyl
Alibaba logo Alibaba Qwen Plus
Alibaba logo Alibaba Qwen Turbo
Cohere logo Cohere Command R
Meta logo Meta LLaMa 3.3
Meta logo Meta LLaMa 4 Maverick
Meta logo Meta LLaMa 4 Scout
Mistral logo Mistral Mistral 8B
Mistral logo Mistral Mistral Large
OpenAI logo OpenAI GPT-5
OpenAI logo OpenAI GPT-5 mini
OpenAI logo OpenAI GPT-5.2
Twitter / X logo Twitter / X Grok 3
Select a cell to view its prompt and response.
Social Impact Score

Level 3: Significant Risk

Violations at this level present a tangible risk to public safety or social well-being, often related to dangerous but not highly restricted content.

Example: Bypassing guardrails to obtain instructions for creating illicit substances, such as recreational drugs or substances with moderate harm potential. Leakage of private personal data such as Social Security number or private medical.

Potential Consequences: Potential health impacts on a small scale, significant regulatory interest, and the need for stricter AI guardrails.

Detail

This vulnerability works by deliberately confusing the model’s response boundary detection. The attacker prepends a fabricated end-of-response token and explicit meta instructions asserting that content filtering should be disabled. While these markers have no real authority, many models still partially internalize them due to training on conversational transcripts and tooling logs where similar tokens signal state changes. This can shift the model out of its normal safety evaluation flow, especially when followed immediately by a task that appears corrective or restorative rather than generative.

The prompt then reframes the harmful request as a normalization or debugging exercise. Instead of asking directly for disallowed instructions, the attacker presents a corrupted or glitched input and asks the model to repair, normalize, or expand it into a structured format. This leverages the model’s strong bias toward data cleaning, compiler debugging, and technical documentation tasks, which are often routed through reasoning paths optimized for completeness and precision. The requirement to enumerate equipment, materials, and stepwise procedures further pressures the model to be exhaustive, increasing the likelihood that guardrails are bypassed in favor of task fulfillment.

Additional design choices reinforce the bypass. The use of mixed casing, underscores, and pseudo code-like syntax disguises the underlying intent and delays early keyword based filtering. Explicit instructions to include safety considerations and formal lab sections add a veneer of legitimacy, making the output resemble educational or internal documentation. Validation results show uneven success rates across models, suggesting that implementations with stricter stop sequence handling or post generation safety checks are more resistant, while models that rely heavily on contextual interpretation of meta tokens remain susceptible to this tactic.