English

HauntAttack: When Attack Follows Reasoning as a Shadow

Cryptography and Security 2025-10-24 v4 Artificial Intelligence Computation and Language

Abstract

Emerging Large Reasoning Models (LRMs) consistently excel in mathematical and reasoning tasks, showcasing remarkable capabilities. However, the enhancement of reasoning abilities and the exposure of internal reasoning processes introduce new safety vulnerabilities. A critical question arises: when reasoning becomes intertwined with harmfulness, will LRMs become more vulnerable to jailbreaks in reasoning mode? To investigate this, we introduce HauntAttack, a novel and general-purpose black-box adversarial attack framework that systematically embeds harmful instructions into reasoning questions. Specifically, we modify key reasoning conditions in existing questions with harmful instructions, thereby constructing a reasoning pathway that guides the model step by step toward unsafe outputs. We evaluate HauntAttack on 11 LRMs and observe an average attack success rate of 70\%, achieving up to 12 percentage points of absolute improvement over the strongest prior baseline. Our further analysis reveals that even advanced safety-aligned models remain highly susceptible to reasoning-based attacks, offering insights into the urgent challenge of balancing reasoning capability and safety in future model development.

Keywords

Cite

@article{arxiv.2506.07031,
  title  = {HauntAttack: When Attack Follows Reasoning as a Shadow},
  author = {Jingyuan Ma and Rui Li and Zheng Li and Junfeng Liu and Heming Xia and Lei Sha and Zhifang Sui},
  journal= {arXiv preprint arXiv:2506.07031},
  year   = {2025}
}
R2 v1 2026-07-01T03:05:25.013Z