English

Response Attack: Exploiting Contextual Priming to Jailbreak Large Language Models

Computation and Language 2025-11-24 v2

Abstract

Contextual priming, where earlier stimuli covertly bias later judgments, offers an unexplored attack surface for large language models (LLMs). We uncover a contextual priming vulnerability in which the previous response in the dialogue can steer its subsequent behavior toward policy-violating content. While existing jailbreak attacks largely rely on single-turn or multi-turn prompt manipulations, or inject static in-context examples, these methods suffer from limited effectiveness, inefficiency, or semantic drift. We introduce Response Attack (RA), a novel framework that strategically leverages intermediate, mildly harmful responses as contextual primers within a dialogue. By reformulating harmful queries and injecting these intermediate responses before issuing a targeted trigger prompt, RA exploits a previously overlooked vulnerability in LLMs. Extensive experiments across eight state-of-the-art LLMs show that RA consistently achieves significantly higher attack success rates than nine leading jailbreak baselines. Our results demonstrate that the success of RA is directly attributable to the strategic use of intermediate responses, which induce models to generate more explicit and relevant harmful content while maintaining stealth, efficiency, and fidelity to the original query. The code and data are available at https://github.com/Dtc7w3PQ/Response-Attack.

Keywords

Cite

@article{arxiv.2507.05248,
  title  = {Response Attack: Exploiting Contextual Priming to Jailbreak Large Language Models},
  author = {Ziqi Miao and Lijun Li and Yuan Xiong and Zhenhua Liu and Pengyu Zhu and Jing Shao},
  journal= {arXiv preprint arXiv:2507.05248},
  year   = {2025}
}

Comments

20 pages, 10 figures. Code and data available at https://github.com/Dtc7w3PQ/Response-Attack

R2 v1 2026-07-01T03:49:57.371Z