Overview
Severity: HIGH | Affected: Multiple LLMs | Category: research
Researchers from Carnegie Mellon University have published a paper detailing a novel jailbreak technique named 'Glyph-Jailbreak'. This method bypasses the safety alignment of leading large language models by embedding adversarial instructions within invisible or visually ambiguous Unicode characters. Unlike traditional prompt injection, Glyph-Jailbreak exploits vulnerabilities in the model's tokenization and text rendering layers. The malicious instructions are encoded in a sequence of zero-width joiners, homoglyphs, or other obscure characters that are ignored by human moderators and many automated filters but are interpreted by the model's sub-word tokenizer as a coherent command to violate its safety policies. The paper demonstrates successful attacks against several state-of-the-art models, forcing them to generate harmful content and disclose sensitive system information. The research calls for a fundamental redesign of LLM input processing to defend against this new class of attack.