Reasoning as an Attack Surface: Adaptive Evolutionary CoT Jailbreaks for LLMs
For security researchers and LLM deployers, this work reveals a novel vulnerability in reasoning models and provides a more effective attack method, though it is an incremental improvement over existing CoT jailbreak techniques.
The paper identifies that chain-of-thought reasoning in large reasoning models introduces a new attack surface for jailbreaks. It proposes AE-CoT, an adaptive evolutionary framework that generates diverse and effective CoT jailbreak prompts, outperforming existing methods across multiple models and datasets.
Large Reasoning Models (LRMs) have demonstrated remarkable capabilities in reasoning and generation tasks and are increasingly deployed in real-world applications. However, their explicit chain-of-thought (CoT) mechanism introduces new security risks, making them particularly vulnerable to jailbreak attacks. Existing approaches often rely on static CoT templates to elicit harmful outputs, but such fixed designs suffer from limited diversity, adaptability, and effectiveness. To overcome these limitations, we propose an adaptive evolutionary CoT jailbreak framework, called AE-CoT. Specifically, the method first rewrites harmful goals into mild prompts with teacher role-play and decomposes them into semantically coherent reasoning fragments to construct a pool of CoT jailbreak candidates. Then, within a structured representation space, we perform multi-generation evolutionary search, where candidate diversity is expanded through fragment-level crossover and a mutation strategy with an adaptive mutation-rate control mechanism. An independent scoring model provides graded harmfulness evaluations, and high-scoring candidates are further enhanced with a harmful CoT template to induce more destructive generations. Extensive experiments across multiple models and datasets demonstrate the effectiveness of the proposed AE-CoT, consistently outperforming state-of-the-art jailbreak methods.