This work uncovers jailbreaking security vulnerabilities in image-to-video (I2V) generative models within multimodal systems and proposes the first dynamic, self-evolving multimodal jailbreaking attack framework. Methodologically, it introduces a three-tier “policy–tactic–action” self-evolving architecture that integrates reinforcement learning for policy optimization, large language model–driven policy exploration, multimodal instruction generation, and image manipulation techniques to enable fully automated, closed-loop collaborative attacks. Its key contribution lies in pioneering the incorporation of self-evolution mechanisms into I2V security evaluation, substantially enhancing attack adaptability and cross-dataset generalization. Extensive evaluations on state-of-the-art models—including Open-Sora 2.0 and CogVideoX—demonstrate superior effectiveness: on the COCO2017 benchmark, the proposed framework achieves a 58.5%–79% improvement in attack success rate over existing methods, establishing new state-of-the-art performance.

Image-to-Video (I2V) generation synthesizes dynamic visual content from image and text inputs, providing significant creative control. However, the security of such multimodal systems, particularly their vulnerability to jailbreak attacks, remains critically underexplored. To bridge this gap, we propose RunawayEvil, the first multimodal jailbreak framework for I2V models with dynamic evolutionary capability. Built on a "Strategy-Tactic-Action" paradigm, our framework exhibits self-amplifying attack through three core components: (1) Strategy-Aware Command Unit that enables the attack to self-evolve its strategies through reinforcement learning-driven strategy customization and LLM-based strategy exploration; (2) Multimodal Tactical Planning Unit that generates coordinated text jailbreak instructions and image tampering guidelines based on the selected strategies; (3) Tactical Action Unit that executes and evaluates the multimodal coordinated attacks. This self-evolving architecture allows the framework to continuously adapt and intensify its attack strategies without human intervention. Extensive experiments demonstrate RunawayEvil achieves state-of-the-art attack success rates on commercial I2V models, such as Open-Sora 2.0 and CogVideoX. Specifically, RunawayEvil outperforms existing methods by 58.5 to 79 percent on COCO2017. This work provides a critical tool for vulnerability analysis of I2V models, thereby laying a foundation for more robust video generation systems.