MaskForge: Structure-Aware Adaptive Attacks for Jailbreaking Diffusion Large Language Models

Researchers introduce MaskForge, a black-box attack method that exploits structural vulnerabilities in diffusion-based large language models (dLLMs) by leveraging their native masking capabilities. The technique achieves 79.3% average success rates across five models and transfers effectively to other benchmarks, demonstrating a significant security gap in an emerging class of language models distinct from standard autoregressive architectures.

MaskForge exposes a critical vulnerability class in diffusion-based language models that differs fundamentally from threats facing autoregressive LLMs. Unlike traditional left-to-right generation, dLLMs process partially masked sequences bidirectionally, allowing attackers to inject harmful content through infilling mechanisms rather than direct prompting. This architectural difference creates a previously underexplored attack surface where safety mechanisms designed for autoregressive models provide inadequate protection.

The research represents an important evolution in adversarial machine learning methodology. Rather than deploying static attack templates, MaskForge employs adaptive optimization by building a library of successful attack patterns, selecting goal-compatible schemas through contextual bandits, and accumulating attack experience across different objectives. This mirrors techniques from reinforcement learning and represents a more sophisticated red-teaming approach than prior work.

For the AI safety community and model developers, these findings carry immediate practical significance. The 88.2% transfer success rate to AdvBench demonstrates that vulnerabilities discovered in one dLLM architecture generalize broadly, suggesting systematic weaknesses rather than isolated bugs. Organizations developing or deploying dLLMs need to urgently reassess their safety protocols, as existing defenses appear inadequate against adaptive attacks.

The broader implication extends to the AI industry's deployment timeline. As dLLMs gain adoption for their computational efficiency advantages, understanding their unique threat surface becomes critical for responsible scaling. Future work should focus on developing defense mechanisms specifically designed for masked-language model architectures rather than adapting existing safeguards from autoregressive systems.

• →MaskForge achieves 79.3% attack success rate on diffusion LLMs using adaptive pattern libraries, demonstrating a critical security gap
• →Diffusion-based LLMs face fundamentally different attack vectors than autoregressive models due to bidirectional masking and infilling capabilities
• →The method transfers effectively across models with 88.2% success on AdvBench, indicating systemic architectural vulnerabilities rather than isolated flaws
• →Adaptive optimization through accumulated experience and contextual bandits represents a more sophisticated red-teaming approach than static attack templates
• →Current safety mechanisms designed for autoregressive models provide inadequate protection for diffusion-based architectures