Overview
Severity: HIGH | Affected: Multiple LLM Providers | Category: research
A new paper from the Stanford AI Lab details a novel jailbreak technique named 'Recursive Contextual Poisoning' (RCP). Unlike traditional prompt injection methods that rely on single, complex prompts, RCP involves a multi-turn conversational strategy. The attacker first 'primes' the model with seemingly benign, but carefully crafted, contextual information over several interactions. This subtly shifts the model's internal state and safety alignment. In the final turn, a simple, innocuous-looking prompt triggers the model to bypass its safety guardrails and generate harmful or restricted content. The research demonstrates that this technique is highly effective against state-of-the-art models from major providers, achieving an 85% success rate in bypassing safety filters in their tests. The technique's stealthy, multi-step nature makes it particularly difficult to detect with existing input filters, posing a significant challenge for AI safety and alignment teams. The researchers have responsibly disclosed their findings to affected organizations ahead of publication.