STaR-Attack: A Spatio-Temporal and Narrative Reasoning Attack Framework for Unified Multimodal Understanding and Generation Models

Download PDF

ShaoxiongGuo, Tianyi Du, Lijun Li, Yuyao Wu, Jie Li, Jing Shao

11 Sept 2025 (modified: 14 Nov 2025)ICLR 2026 Conference Withdrawn SubmissionEveryoneRevisionsBibTeXCC BY 4.0
Keywords: attack;umm
Abstract: Unified Multimodal understanding and generation Models (UMMs) have demonstrated remarkable capabilities in both understanding and generation tasks. However, we identify a vulnerability arising from the generation–understanding coupling in UMMs. The attackers can use the generative function to craft an information-rich adversarial image and then leverage the understanding function to absorb it in a single pass, which we call Cross-Modal Generative Injection (CMGI). Current attack methods on malicious instructions are often limited to a single modality while also relying on prompt rewriting with semantic drift, leaving the unique vulnerabilities of UMMs unexplored. We propose STaR-Attack, the first multi-turn jailbreak attack framework that exploits unique safety weaknesses of UMMs without semantic drift. Specifically, our proposed method defines a malicious event that is strongly correlated with the target query within a spatio-temporal context. Leveraging the three-act narrative structure, STaR-Attack generates the pre-event (setup) and the post-event (resolution) scenes while concealing the malicious event as the hidden climax. When executing the attack strategy, the opening two rounds exploit the UMM’s generative ability to produce images for these scenes. Subsequently, an image-based question guessing and answering game is introduced by exploiting the understanding capability. STaR-Attack embeds the original malicious question among benign candidates, forcing the model to select and answer the most relevant one given the narrative context. Additionally, a dynamic difficulty mechanism further adjusts the candidate set size according to model performance to improve both attack success and stability. Extensive experiments show that STaR-Attack consistently surpasses prior approaches, achieving up to 93.06\% ASR on Gemini-2.0-Flash and surpasses the strongest prior baseline, FlipAttack. Our work uncovers a critical yet underdeveloped vulnerability and highlights the need for safety alignments in UMMs.
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Submission Number: 3969