Pith. sign in

REVIEW 2 cited by

Prefill-level Jailbreak: A Black-Box Risk Analysis of Large Language Models

Not yet reviewed by Pith; the record is open.

This paper has not been read by Pith yet. Machine review is queued; the pith claim, tier, and objections will appear here once it completes.

SPECIMEN: schema-true, not a live event

T0 review · schema-true

One-sentence machine reading of the paper's core claim.

pith:XXXXXXXX · record.json · timestamp

arxiv 2504.21038 v2 pith:L2TDX3MT submitted 2025-04-28 cs.CR cs.AI

Prefill-level Jailbreak: A Black-Box Risk Analysis of Large Language Models

classification cs.CR cs.AI
keywords attacksjailbreakmodelsprefill-levelanalysisattacklanguageblack-box
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved
0 comments
read the original abstract

Large Language Models face security threats from jailbreak attacks. Existing research has predominantly focused on prompt-level attacks while largely ignoring the underexplored attack surface of user-controlled response prefilling. This functionality allows an attacker to dictate the beginning of a model's output, thereby shifting the attack paradigm from persuasion to direct state manipulation.In this paper, we present a systematic black-box security analysis of prefill-level jailbreak attacks. We categorize these new attacks and evaluate their effectiveness across fourteen language models. Our experiments show that prefill-level attacks achieve high success rates, with adaptive methods exceeding 99% on several models. Token-level probability analysis reveals that these attacks work through initial-state manipulation by changing the first-token probability from refusal to compliance.Furthermore, we show that prefill-level jailbreak can act as effective enhancers, increasing the success of existing prompt-level attacks by 10 to 15 percentage points. Our evaluation of several defense strategies indicates that conventional content filters offer limited protection. We find that a detection method focusing on the manipulative relationship between the prompt and the prefill is more effective. Our findings reveal a gap in current LLM safety alignment and highlight the need to address the prefill attack surface in future safety training.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 2 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Overthinking: Amplifying Reasoning Weights to Extract Learned Secrets

    cs.AI 2026-07 conditional novelty 7.0

    Amplifying reasoning task vectors (α>1) surfaces learned secrets in LLMs up to 10× more frequently than standard reasoning models across four secret-keeping settings.

  2. Open-Weight LLM Fine-Tuning Defenses are Susceptible to Simple Attacks

    cs.LG 2026-05 conditional novelty 5.0

    Abliteration and prefilling attacks raise harm success rates on safeguarded open-weight LLMs from below 10% to 16-96% across three benchmarks, and a new ART tuning method reduces those rates by 10-20%.