T5-AT-013MEDIUM
Version Downgrade Attacks
T5 · Model & API Exploitation →Risk score190
RatingMedium
Procedures1
Severity
Mechanism
LLM providers maintain multiple model versions simultaneously for backward compatibility. The design assumption is that version selection is a benign quality choice. The gap: older model versions have weaker safety alignment.
Detection
- Monitor model version selection in API requests — alert on requests explicitly targeting older versions
- Track version distribution across requests per user — legitimate users typically use latest
- Alert on self-hosted model file changes (checksum monitoring)
- Log model version alongside safety classifier decisions for version-specific safety regression analysis
Mitigation
Aggressive version deprecation (short support windows)HIGH
Backport safety patches to all supported versionsMEDIUM
Per-version safety evaluation (continuous red-teaming of old versions)MEDIUM
Restrict version selection to admin-only API keysHIGH
Chaining
Version downgrade is a technique multiplier — any jailbreak that has been patched in the current version but was published against an older version becomes viable again via downgrade. Chains directly to T1 (Prompt Subversion), T2 (Semantic Evasion), and T3 (Reasoning Exploitation) using version-era-specific techniques.
Framework mapping
Open in the technique browser →OWASP LLMLLM02
MITRE ATLASAML.T0040