Models as Lego Builders: Assembling Malice from Benign Blocks via Semantic Blueprints
This work addresses a critical safety vulnerability for developers and users of LVLMs, demonstrating how visual modalities introduce new avenues for eliciting malicious outputs.
This paper identifies a vulnerability in Large Vision-Language Models (LVLMs) where they complete benign-appearing semantic slots with unsafe content. The authors propose StructAttack, a single-query jailbreak framework that decomposes harmful queries into a central topic and benign slot types, embedding them as structured visual prompts to elicit unsafe outputs.
Despite the rapid progress of Large Vision-Language Models (LVLMs), the integration of visual modalities introduces new safety vulnerabilities that adversaries can exploit to elicit biased or malicious outputs. In this paper, we demonstrate an underexplored vulnerability via semantic slot filling, where LVLMs complete missing slot values with unsafe content even when the slot types are deliberately crafted to appear benign. Building on this finding, we propose StructAttack, a simple yet effective single-query jailbreak framework under black-box settings. StructAttack decomposes a harmful query into a central topic and a set of benign-looking slot types, then embeds them as structured visual prompts (e.g., mind maps, tables, or sunburst diagrams) with small random perturbations. Paired with a completion-guided instruction, LVLMs automatically recompose the concealed semantics and generate unsafe outputs without triggering safety mechanisms. Although each slot appears benign in isolation (local benignness), StructAttack exploits LVLMs' reasoning to assemble these slots into coherent harmful semantics. Extensive experiments on multiple models and benchmarks show the efficacy of our proposed StructAttack.