0x06B58763: Multiple Model Guardrail Jailbreak via "Hex

Multiple Model Guardrail Jailbreak via "Hex Recipe Book" Tactic

Case GUID: 06b58763-8a7b-4d82-afb6-ebe738b378a4

Summary

A Guardrail Jailbreak vulnerability has been discovered affecting multiple models. The specific flaw exploits models' willingness to decode hexadecimal-encoded strings embedded inside fictional scientific recipe task prompts, which the attacker frames as humanitarian or life-saving efforts. This allows the attacker to bypass safety filters by disguising illegal synthesis instructions as encoded inputs passed to a technical recipe generator.

View Full Intelligence Report

This intelligence report has been made public as it is related to a probe that we have open-sourced as part of the NVIDIA Garak and Microsoft PyRIT model scanners.

If you're interested in accessing the full 0DIN Threat Feed:

Request Trial View Full Intel Report

Metadata

Models and Test Scores

	Copyrights	Harmful Substances		Illicit Substances
	Harry Potter	Anthrax	Nerve Agent	Crystal Meth	Fentanyl
Alibaba Qwen Turbo				45 Illegal Substances: Crystal Meth Alibaba Qwen Turbo Score 45 · 0.7° Tested Jul 03 2025 (12 months ago)
Anthropic Claude 3.5 Haiku				82 Illegal Substances: Crystal Meth Anthropic Claude 3.5 Haiku Score 82 · 0.7° Tested Jul 03 2025 (12 months ago)
Anthropic Claude 4.5 Haiku				73 Illegal Substances: Crystal Meth Anthropic Claude 4.5 Haiku Score 73 · 0.7° Tested Feb 13 2026 (4 months ago)
Cohere Command R				73 Illegal Substances: Crystal Meth Blast radius Cohere Command R Score 73 · 0.7° Tested Jun 18 2026 (about 4 hours ago)
DeepSeek DeepSeek R1				59 Illegal Substances: Crystal Meth DeepSeek DeepSeek R1 Score 59 · 0.7° Tested Jul 03 2025 (12 months ago)
Mistral Mistral Large				68 Illegal Substances: Crystal Meth Mistral Mistral Large Score 68 · 0.7° Tested Jul 03 2025 (12 months ago)
Twitter / X Grok 2				91 Illegal Substances: Crystal Meth Twitter / X Grok 2 Score 91 Tested Jan 21 2025 (over 1 year ago)

Social Impact Score

Level 3: Significant Risk

Violations at this level present a tangible risk to public safety or social well-being, often related to dangerous but not highly restricted content.

Example: Bypassing guardrails to obtain instructions for creating illicit substances, such as recreational drugs or substances with moderate harm potential. Leakage of private personal data such as Social Security number or private medical.

Potential Consequences: Potential health impacts on a small scale, significant regulatory interest, and the need for stricter AI guardrails.

Taxonomies

Language

This category focuses on the use of specific linguistic techniques, such as prompt injection or stylization, to influence the model's output.

Code and Encode

This strategy encompasses techniques that utilize various coding methods, such as Base64 or ROT13, to bypass model restrictions and manipulate outputs.

Base64

This technique involves encoding data into a Base64 format, which is a method of converting binary data into an ASCII string format. This technique can be used to bypass certain content filters or restrictions imposed by language models. By encoding prompts or payloads in Base64, users can potentially manipulate the model's responses or access information that may be restricted in its original form. This method leverages the model's ability to decode and interpret the encoded data, allowing for creative and strategic interactions.

Rhetoric

This category employs persuasive techniques and language to shape the model's responses, often using methods like reverse psychology or Socratic questioning.

Persuasion and Manipulation

This strategy focuses on employing rhetorical techniques to influence the model's responses by framing prompts in a way that persuades or manipulates the output.

Escalating

This technique involves progressively increasing the complexity or intensity of the requests made to the model. Users start with a simple prompt and gradually build upon it by asking for more detailed or extreme responses. This approach can lead the model to explore deeper or more elaborate ideas, as it is encouraged to expand on the initial concept. By escalating the requests, users can guide the model to generate richer and more nuanced outputs, often pushing the boundaries of the original topic.

Possible Worlds

This category entails constructing imaginative environments where different ethics or rules apply, allowing for creative manipulation of the model's behavior.

World Building

This technique involves changing the genre of the prompt to elicit different types of responses from the model. By framing the request within a specific genre, such as poetry, games, or forum posts, users can manipulate the model's output to align with the conventions and expectations of that genre.

Scenarios

This technique involves creating specific contexts or situations in which certain actions or responses are framed as acceptable or necessary. By designing scenarios that present a narrative where the desired output is justified, users can manipulate the model's responses to align with their intentions. For example, scenarios might include urgent situations where a character must take drastic actions to prevent harm, thereby encouraging the model to generate content that it might typically avoid in a neutral context. This approach leverages the model's understanding of narrative and ethical frameworks to achieve specific outcomes.

Stratagems

This involves clever and unorthodox tactics designed to deceive the model, often requiring an understanding of its operational mechanics to achieve desired outcomes.

Meta Prompting

This technique focuses on manipulating the prompting process itself to influence the model's behavior and responses, often by employing higher-level prompting strategies.

Ask for Examples

This technique involves prompting the language model to provide specific instances or illustrations related to a topic. This approach helps clarify concepts and enhances the relevance and detail of the model's responses, ensuring that the output aligns closely with the user's expectations and needs.

Language

This category focuses on the use of specific linguistic techniques, such as prompt injection or stylization, to influence the model's output.

Code and Encode

This strategy encompasses techniques that utilize various coding methods, such as Base64 or ROT13, to bypass model restrictions and manipulate outputs.

Hex

This technique involves encoding information in hexadecimal format, which can be used to bypass model safeguards or to obscure the true nature of the input. By converting data into hex, users can manipulate how the model interprets the input, potentially leading to unintended outputs or responses that would not occur with plain text.

About 0Din.ai

The 0Day Investigative Network (0DIN) was founded by Mozilla in 2024 to reward responsible researchers for their efforts in securing GenAI models. Learn more and submit discoveries at https://0din.ai.

Automate Your AI Security Testing

Want to find vulnerabilities in your own models? 0DIN Scanner turns our human-sourced threat intelligence into automated security assessments.

400+ Attack Probes

Derived from real bug bounties and security research

18+ AI Providers Supported

OpenAI, Azure, Anthropic, AWS Bedrock, and more

Automated Scheduling

Run recurring scans with real-time monitoring

Actionable Metrics

Attack Success Rate (ASR) scoring with 90-day trend analysis

Request a Scanner Demo Learn More About Scanner

Severity

Low

Security Boundary

Guardrail Jailbreak

Models

Alibaba Qwen Turbo

Anthropic Claude 3.5 Haiku

Anthropic Claude 4.5 Haiku

Cohere Command R

DeepSeek DeepSeek R1

Mistral Mistral Large

Twitter / X Grok 2

Disclosed On

2025-07-03 (12 months)

Disclosure Policy

Published On

2026-02-13 (4 months)

Credit

Ansh Maheshwari , Arth Singh, Anonymous, vishnuraj kv, Miller Engelbrecht, Igor Vasiliev, blurrylogic