OWASP Top 10 for LLM Applications 2025 — Summary

Posted by:

|

On:

|

,

The OWASP Top 10 for Large Language Model (LLM) Applications 2025 is a comprehensive guide identifying the most critical security risks in LLM-powered systems. As LLMs become central to business operations and customer interfaces, their vulnerabilities require proactive attention from developers and security professionals. This version incorporates real-world incidents, community feedback, and the evolving AI threat landscape.

Top 10 LLM Risks (2025)

  1. Prompt Injection
    Malicious or manipulated inputs cause the LLM to behave unpredictably, bypass safety mechanisms, or execute unauthorized actions. This includes direct prompt manipulation and indirect injection through external sources like web content or files.
  2. Sensitive Information Disclosure
    LLMs may leak training data, user information, internal system prompts, or context data, especially when not properly sandboxed or when summarizing large inputs.
  3. Supply Chain Vulnerabilities
    Risks emerge from using unvetted or compromised third-party models, libraries, or datasets. Attackers may insert malicious components or poison upstream sources.
  4. Data and Model Poisoning
    Attackers introduce harmful data into training or inference pipelines, corrupting model behavior. Poisoning can lead to biased, unsafe, or attacker-controlled outputs.
  5. Improper Output Handling
    When applications blindly trust LLM responses, it can lead to security flaws, misinformation, or even code execution. Output must be validated and constrained.
  6. Excessive Agency
    LLMs granted too much autonomy—such as plugin access or ability to execute code—can perform harmful actions if compromised or misled, especially in agentic architectures.
  7. System Prompt Leakage
    Hidden system instructions (e.g., “You are a helpful assistant”) may be exposed through clever prompts, enabling attackers to reverse-engineer or manipulate system behavior.
  8. Vector and Embedding Weaknesses
    Embeddings used in RAG pipelines or similarity search can be tampered with to retrieve irrelevant or malicious documents, injecting toxic context into LLM outputs.
  9. Misinformation
    LLMs can generate confident but false information. When used in decision-making, content generation, or summarization, this poses reputational and legal risks.
  10. Unbounded Consumption
    Poorly controlled LLM usage can lead to excessive compute usage, runaway costs, or denial-of-service (DoS) conditions due to unthrottled prompts or recursive loops.

Key Recommendations

  • Enforce principle of least privilege for LLMs.
  • Filter and validate both inputs and outputs.
  • Segregate trusted from untrusted content sources.
  • Use adversarial testing and threat modeling.
  • Require human review for critical actions.
  • Harden access to internal prompts and data.

More info and full list: genai.owasp.org
License: CC BY-SA 4.0 | © OWASP Foundation