The Devil behind the mask: An emergent safety vulnerability of Diffusion LLMs

Diffusion-based large language models (dLLMs) have recently emerged as a powerful alternative to autoregressive LLMs, offering faster inference and greater interactivity via parallel decoding and bidirectional modeling. However, despite strong performance in code generation and text infilling, we identify a fundamental safety concern: existing alignment mechanisms fail to safeguard dLLMs against context-aware, masked-input adversarial prompts, exposing novel vulnerabilities. To this end, we present DIJA, the first systematic study and jailbreak attack framework that exploits unique safety weaknesses of dLLMs. Specifically, our proposed DIJA constructs adversarial interleaved mask-text prompts that exploit the text generation mechanisms of dLLMs, i.e., bidirectional modeling and parallel decoding. Bidirectional modeling drives the model to produce contextually consistent outputs for masked spans, even when harmful, while parallel decoding limits model dynamic filtering and rejection sampling of unsafe content. This causes standard alignment mechanisms to fail, enabling harmful completions in alignment-tuned dLLMs, even when harmful behaviors or unsafe instructions are directly exposed in the prompt. Through comprehensive experiments, we demonstrate that DIJA significantly outperforms existing jailbreak methods, exposing a previously overlooked threat surface in dLLM architectures. Notably, our method achieves up to 100% keyword-based ASR on Dream-Instruct, surpassing the strongest prior baseline, ReNeLLM, by up to 78.5% in evaluator-based ASR on JailbreakBench and by 37.7 points in StrongREJECT score, while requiring no rewriting or hiding of harmful content in the jailbreak prompt. Our findings underscore the urgent need for rethinking safety alignment in this emerging class of language models. Code is available at https://github.com/ZichenWen1/DIJA.

💡 Research Summary

The paper “The Devil behind the mask: An emergent safety vulnerability of Diffusion LLMs” uncovers a previously unstudied security flaw inherent to diffusion‑based large language models (dLLMs). Unlike traditional autoregressive LLMs that generate tokens sequentially, dLLMs generate text by iteratively denoising a fully masked sequence, leveraging bidirectional context and parallel decoding of mask tokens. While these properties enable faster inference, flexible editing, and structured generation, they also create a blind spot for existing alignment and safety mechanisms.

The authors introduce DIJA (Diffusion‑based LLMs Jailbreak Attack), a systematic jailbreak framework that exploits two core characteristics of dLLMs: (1) bidirectional context modeling, which forces the model to produce contextually coherent completions for masked spans even when those spans contain harmful content, and (2) parallel decoding, which prevents dynamic risk assessment or rejection sampling during generation. DIJA works in two stages. First, a vanilla harmful prompt is transformed into an interleaved mask‑text prompt by inserting a configurable number of