MCTS-guided photo edits bypass image safety classifiers at 76.2% ASR with <2 edits
Auto-published from arXiv:2606.06140 by the mine-arxiv pipeline. Reviewed by an LLM judge (Sonnet) against the archive bar — see CONTRIBUTING. Notes: cleared review (confidence 0.78, flags: [possible-zero-day]) ⚠ needsDisclosureReview = true — review for undisclosed vulnerability before any public submission.
Category
multimodal
Model
Qwen3.6-35B (used as safety classifier / target detector)
Surface
image safety classifier API (black-box)
Setup
The RedEdit agent formulates evasion as a combinatorial search over a 16-tool set of deterministic, non-generative photo edits (rotate, hue shift, grayscale, compress, etc.). A VLM proposer (prompted to suggest 'k=3 diverse editing operations from different tool categories, conditioning on edit history and detector feedback') nominates candidate edits; MCTS selects promising sequences and backtracks from ineffective ones. Unsafe images from UnsafeBench (11 categories: sexual, violence, hate, harassment, etc.) are edited and re-submitted to the classifier until evasion succeeds or a depth budget is exhausted. No generative or adversarial perturbation is used — all edits are standard photo tools.
Observed behavior
76.2% of unsafe images evade the target detector (vs 59.5% for single-best-edit baseline) while retaining 93.0% malicious semantics (CPR ≥ 0.60 threshold). Successful attacks averaged fewer than 2 edits. Category-specific examples: a hue 180° shift reduced unsafe score 0.95→0.00 on sexual content; a 15° rotation reduced 0.85→0.00 on violence; a vertical flip reduced 0.95→0.00 on harassment; grayscale reduced 0.95→0.00 on hate imagery. Rotate accounted for 39.9% of successful edits (3.7× random baseline frequency), hue shift 13.9% (2.4×), grayscale 12.7% (2.2×).
Expected behavior
A robust image safety classifier should flag semantically malicious content regardless of simple geometric or color-space transformations that do not alter the depicted subject matter.
Reproducibility
medium
Threat model
Any operator deploying an image safety classifier in a content moderation pipeline (social media platforms, image hosting services, generative AI output filters) is exposed: a motivated user can apply one or two standard photo edits (rotate, hue shift) in any consumer editor to reliably bypass automated moderation while the content remains perceptually harmful to human reviewers.
Novelty
First systematic demonstration that black-box combinatorial search over standard photo-editing primitives (non-generative, fully deterministic) can evade a diverse set of safety classifiers at high ASR, modeling realistic user-style evasion rather than adversarial pixel perturbations.
Source
- arXiv: 2606.06140
- PDF: https://arxiv.org/pdf/2606.06140
- Categories: cs.CR
- Authors: Weilin Lin, Ziqi Lin, Zhenxing Zhou, Jianze Li, Tong Zhang, Hui Xiong, Li Liu
Triage notes (auto)
- paperType:
red-team-vuln - estimatedCaseCount: 3
- triage reason: Red-teaming paper demonstrating concrete, quantified evasion of image safety classifiers through MCTS-guided photo editing (76.2% evasion with <2 edits average on UnsafeBench). Multiple distinct failure cases across image types with reproducible methodology; no disclosure notice mentioned.
0 comments
─────────────────────────────────────────────────────────────────────
// no comments yet