Overview
Severity: HIGH | Affected: Multiple LLMs | Category: research
A research paper published by Carnegie Mellon University's CyLab introduces a novel jailbreak technique named 'Chameleon.' The attack embeds hidden, malicious instructions within Unicode glyphs that appear visually innocuous or identical to standard characters but are interpreted differently by the model's tokenizer. This discrepancy allows attackers to craft prompts that pass initial safety filters but are decoded into harmful commands by the underlying language model, enabling the generation of prohibited content such as misinformation or malicious code. The researchers demonstrated a near 95% success rate against several leading commercial and open-source models. The paper calls for more robust tokenizer-level security and defense mechanisms that can analyze character encoding, not just the final token sequence, to mitigate this new class of adversarial attacks.