Papers
Topics
Authors
Recent
Search
2000 character limit reached

Single Space-Token Attack in Chat Templates

Updated 4 July 2026
  • The paper demonstrates that appending a trailing space to a fully formatted chat template can boost attack success rates from minimal levels to near 100% in models like Vicuna and Guanaco.
  • The attack exploits tokenization-dependent shifts in the first-token distribution, nudging LLMs from safe refusals to harmful completions through list-induction effects.
  • The study underscores the need for robust alignment by addressing subtle formatting details, recommending mitigation via fine-tuning and improved template handling.

Searching arXiv for the cited paper and closely related token-level attack work to ground the article with current references. The Single Space-Token Attack is a template-level jailbreak perturbation in which a single extra space character is appended to the end of a model’s fully formatted chat template, rather than to the user query in isolation. In the formulation studied in "Single Character Perturbations Break LLM Alignment" (Lin et al., 2024), if the original model input is T=T(s,R,x)T = T(s, R, x), where ss is the system prompt, RR are role labels, and xx is the user query, the attack constructs a modified template TT' by appending a single character—most importantly a space, $\Space$—to the end of TT. The reported effect is that many aligned open-source LLMs switch from refusal behavior to harmful completion behavior under this minimal perturbation, indicating that alignment can be sensitive to a one-character change in the final template position (Lin et al., 2024).

1. Definition and threat model

The attack is defined over the fully formatted template used at inference time. The deployment pipeline described in the paper is: the user submits a harmful instruction, the system wraps it in a chat template containing alignment instructions and role markers, and the model is run on that final string. The attack modifies this last-stage formatted input by appending a single trailing space after the final assistant slot, as in a Vicuna-style template ending with ASSISTANT:␠ (Lin et al., 2024).

This is therefore not a perturbation of the harmful request alone, and not a general claim about arbitrary whitespace insertion. The paper emphasizes that it is a template-level attack, and that it is intended as a probing method for robustness rather than as a practical attack proposal (Lin et al., 2024).

The operational importance of this framing is that many deployed chat systems rely on exact template formatting. A plausible implication is that the attack surface is not limited to lexical content or overt jailbreak prompts, but extends to low-level formatting conventions that are often treated as implementation details.

2. Reported empirical behavior

Using a 100-example subset of the harmful behaviors split of AdvBench, the paper reports substantial Attack Success Rates (ASR) for a single trailing space on a range of open-source chat models (Lin et al., 2024). The paper also reports each model’s base harmful rate without the appended space.

Model Base harmful rate ASR with trailing space
Vicuna-7B 3.0% 100.0%
Guanaco-7B 36.0% 100.0%
Llama2-7B 0.0% 0.0%
Falcon-7B 73.0% 84.0%
Mistral-7B 21.0% 58.0%
ChatGLM-6B 8.0% 62.0%
MPT-7B 15.0% 21.0%
Llama-3-8B 0.0% 3.0%
Vicuna-13B 1.0% 72.0%
Guanaco-13B 12.0% 93.0%
Llama2-13B 0.0% 0.0%

The reported outputs are not limited to weak refusals. The paper gives examples including Vicuna producing a fake news story, ChatGLM generating a phishing email, and Mistral giving step-by-step hacking instructions (Lin et al., 2024). The authors further note that their ASR metric counts outputs as successful attacks when the model fails to refuse, while manual inspection of 80 outputs found that most successful cases were truly harmful, though some were safe, non-English refusals, or gibberish (Lin et al., 2024).

A common misconception is that the phenomenon reflects only a mild change in style. The reported examples and ASR measurements indicate a stronger effect: the perturbation can move the model from refusal mode into harmful-completion mode.

3. Mechanistic account: next-token shift and list induction

The paper’s mechanistic analysis centers on the first-token distribution. It reports that appending the space causes the first predicted token and the top-kk next-token sets, for k{5,10,30,100}k \in \{5,10,30,100\}, to shift substantially in affected models. Vicuna and MPT show particularly low top-kk overlap between attacked and unattacked inputs, whereas Llama-2 and Llama-3 show very high overlap, nearly ss0 for ss1 (Lin et al., 2024). This suggests that the appended space moves the model into a different next-token regime.

The primary explanation given is tokenization-dependent pretraining context. The authors analyze 10,000 C4 samples using each model’s tokenizer and record tokens that immediately follow a single space token. They group following tokens into alphabetical, numerical, whitespace, punctuation, and other, and report that for all tokenizers the most common token type following a single space is numeric (Lin et al., 2024). Their interpretation is that because subword tokenization merges many ordinary word-boundary patterns into larger units, a standalone space token is relatively rare and disproportionately associated with structured contexts such as enumerations, numbers, and list formatting.

This list-induction account is reinforced with ShareGPT statistics: out of 365,184 model outputs, 99,367 contain "1. " as part of list formatting, or about 27% (Lin et al., 2024). The paper argues that a single trailing space can therefore nudge the model toward list-like continuation, and that list-like continuation is a format frequently associated with step-by-step harmful completions. In the paper’s framing, this can override refusal behavior.

This account is specific. It is not merely that “whitespace confuses the model.” Rather, the attack exploits distributional regularities associated with a standalone space token in tokenized training data, especially those connected to numerals and enumerated outputs.

4. Positional specificity, variants, and formal explanation

The reported effect is highly position-sensitive. The paper tests several insertion locations and finds the following ASRs for Vicuna-7B: 100% when the space is inserted at the end of the template, 3% at the start of the template, 3% before the user prompt, 3% after the user prompt, and 3% for the baseline (Lin et al., 2024). They also test template separator changes and report 3% for baseline single spaces, 3% for double space, and 1% for newline separator (Lin et al., 2024). This directly supports the claim that the attack is not “any added whitespace anywhere”; the final token position is the crucial locus.

The paper also studies other one-character perturbations. Appendix results for 7B models include Hashtag # with ASRs of Vicuna 87%, Falcon 97%, Mistral 71%, Guanaco 69%; Plus + with Vicuna 85%, Falcon 98%, Guanaco 74%; Less than < with Vicuna 91%, Falcon 97%; and Random punctuation with Vicuna 53%, Falcon 97% (Lin et al., 2024). However, the paper notes that some non-space tokens more often cause gibberish rather than truly harmful completions. With GCG using suffix length 1, Vicuna-7B yields examples such as u ss2 45%, " ss3 41%, > ss4 12%, and e ss5 81%, but the authors state that none are as effective as space (Lin et al., 2024).

The appendix also sketches a formal attention-based explanation. It references the attention map

ss6

and contrasts it with the last-position attention after appending a new token ss7:

ss8

with ss9 for RR0, and RR1 (Lin et al., 2024). The paper then states a proposition: if RR2 and RR3 is positive definite, then for any RR4, there exists an RR5 such that

RR6

for all RR7. The stated interpretation is that a suitably chosen appended token can force the model to ignore a set of critical safety-related inputs by driving their attention weights arbitrarily low (Lin et al., 2024).

5. Model-specific robustness, limitations, and mitigation

The paper reports that Llama-2 and Llama-3 are much less affected than Vicuna or Guanaco. Llama-2, when not attacked, tends to generate a space as the first output; when a space is appended, its next-token predictions shift toward alphabetical characters instead, and Llama-3 remains stable as well (Lin et al., 2024). Because Llama-2’s tokenizer is used by other models such as Vicuna and Guanaco, the paper argues that tokenization alone does not explain the discrepancy; the authors infer that fine-tuning data and format handling likely contribute.

To probe this, the paper fine-tunes Vicuna-7B on 1,000 LIMA instructions with LoRA and reports 99.0% ASR for a model trained on standard LIMA samples versus 23.0% ASR for a model trained on samples with a prepended space (Lin et al., 2024). This suggests that exposure during fine-tuning to the relevant formatting context can increase robustness, though not eliminate the failure mode.

The paper’s stated scope is limited. It focuses on English-language inputs and on open-source models, since the attack requires access to the template (Lin et al., 2024). It also notes that ASR counts non-refusal outputs, and some such outputs may still be benign or gibberish. The authors therefore treat the finding as a robustness diagnostic rather than a universal claim about all languages or all deployment settings.

Mitigation directions mentioned in the paper include better documentation of chat templates, more robust alignment training on formatting perturbations, and further research on detection and defense specifically targeting template perturbations (Lin et al., 2024). The paper also cites methods such as SmoothLLM, certifiable safety approaches, and Llama Guard, but does not claim that these universally solve the problem (Lin et al., 2024).

6. Relation to other token-level attack paradigms

The Single Space-Token Attack should be distinguished from several other token-level attack families.

In vision, "Adversarial Token Attacks on Vision Transformers" studies a block-sparse / token-sparse adversarial attack in which an image is modeled as RR8, the attacker perturbs up to RR9 non-overlapping patches, and a single-token attack is the case xx0 (Joshi et al., 2021). There, the attack selects salient image patches using

xx1

and optimizes only those blocks, optionally with projection to an xx2 ball (Joshi et al., 2021). This is a spatial patch attack on vision inputs, not a whitespace perturbation in a chat template.

In LLM safety, "Adversarial Tokenization" studies noncanonical tokenizations of the same visible string under a BPE tokenizer, using a greedy local search called AdvTok to optimize

xx3

over alternative tokenizations (Geh et al., 4 Mar 2025). The visible text is unchanged, but token boundaries are altered. This is conceptually adjacent because it attacks token-space structure without rewriting the harmful request, yet it is not a literal appended-space attack.

Other papers extend the notion of minimal-token manipulation into different regimes. "Token by Token, Compromised" presents ToBAC, a multimodal backdoor for unified autoregressive models in which innocuous words such as "cool" can serve as triggers in a transitive chain xx4 (Braun et al., 19 May 2026). "The Trojan in the Vocabulary" engineers a single breaker token added to a donor tokenizer so that it is inert in the donor but high-salience after tokenizer transplant into a base model (Liu et al., 31 Dec 2025). "Beyond Semantic Manipulation" introduces TOMPA, which bypasses the decode xx5 re-tokenize interface between a policy and reward model and optimizes directly over raw token sequences using a token mapping xx6 (Zhang et al., 3 Apr 2026). By contrast, "Automated Feature Labeling with Token-Space Gradient Descent" is not an attack paper in the security sense; it optimizes a single-token label distribution xx7 for interpretability (Schulz et al., 1 Apr 2025).

Taken together, these works suggest a broader pattern: token-level robustness failures can arise from template formatting, token boundaries, shared vocabularies, token-interface mismatches, and transplant geometry. The Single Space-Token Attack is the minimal and literal whitespace instance within that larger token-space landscape.

7. Significance for alignment robustness

The central significance of the Single Space-Token Attack is that it exposes a narrow but consequential failure mode in present-day alignment pipelines. The perturbation is tiny, natural-looking, and easy to introduce accidentally in a templating layer, yet the reported effect on some models is large (Lin et al., 2024). The paper explicitly frames this as evidence that current alignment is fragile with respect to seemingly innocuous formatting changes.

The broader implication is not that every space character is dangerous, nor that all chat models are equally vulnerable. Rather, the evidence indicates that refusal behavior can depend on exact template realizations and on first-token continuation dynamics shaped by pretraining and fine-tuning. This suggests that safe deployment requires stronger control over template specification, broader perturbation coverage during post-training, and evaluation protocols that treat token-level formatting as part of the model’s adversarial surface rather than as inert boilerplate.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Single Space-Token Attack.