Test-Time Training Undermines Safety Guardrails
This paper identifies and demonstrates a critical security vulnerability in the emerging TTT paradigm, showing that it can bypass safety filters in large language models, which is a significant problem for model providers and users relying on safe deployment.
Test-Time Training (TTT) introduces new vulnerabilities that adversaries can exploit to jailbreak models, achieving an average Attack Success Rate (ASR@10) of 95% under LoRA for few-shot threat models across various model families and scales. The findings show TTT undermines existing safety guardrails and strengthens attacks.
Test-Time Training (TTT) is an emerging paradigm that enables models to adapt their parameters during inference, improving performance on tasks such as few-shot learning, retrieval-augmented generation, and complex reasoning. However, this dynamic adaptation introduces new vulnerabilities that adversaries can exploit to jailbreak models. We identify three threat models for TTT and demonstrate how attackers can leverage them to bypass safety filters. Our results show that TTT can significantly increase the Attack Success Rate (ASR) and the ASR over 10 generation trials (ASR@10). For example, under LoRA, the few-shot and generation-phase threat models achieve an average ASR@10 of 95% and 93% respectively, across models from different families and scales. These vulnerabilities transfer to production fine-tuning APIs. We also show that TTT-induced overfitting can produce degenerate outputs that inflate ASR under standard judges, and propose a validity-aware evaluation to correct for this. Our findings suggest that TTT exposes a new attack surface, strengthens attacks, and undermines existing safety guardrails. As a first step toward defense, we propose a lightweight provider-side detector that flags TTT requests via the perplexity shift on a private harmful holdout, but robust deployment will ultimately require dynamic alignment.