Skip to main content

OWASP Top 10 for LLM Applications (2025)

The OWASP Top 10 for LLM Applications is the shared baseline for generative AI security, covering prompt injection, data disclosure, excessive agency, and supply chain risk. Map each risk to a control, owner, and test.

Organization
OWASP
Published
Nov 18, 2024

Best Practice: OWASP Top 10 for LLM Applications (2025)

The OWASP Top 10 for LLM Applications is a community-driven list of the most critical security risks in systems built on large language models. The 2025 edition covers risks such as prompt injection, sensitive information disclosure, supply chain vulnerabilities, data and model poisoning, improper output handling, excessive agency, system prompt leakage, vector and embedding weaknesses, misinformation, and unbounded consumption. It matters because LLM applications introduce attack surfaces that traditional application security checklists miss, and this list gives teams a shared, prioritized starting point.

The list is maintained by the OWASP GenAI Security Project, a global community of security practitioners, and is updated as the threat landscape evolves. The 2025 edition reflects lessons from real deployments, elevating risks such as system prompt leakage and vector and embedding weaknesses that were not prominent earlier. It is deliberately framed as a starting point: each risk should be mapped to your specific architecture, assigned an owner, paired with a concrete control, and backed by a test, rather than treated as a box-ticking exercise.

Step-by-Step Implementation Guidance

  1. Review each of the ten risks against your architecture and data flows.
  2. Treat all model input as untrusted; defend against prompt injection.
  3. Add output handling controls so model output is never blindly executed or rendered.
  4. Limit agency: scope tools, permissions, and autonomous actions tightly.
  5. Protect against sensitive data disclosure with redaction and access control.
  6. Vet the model and plugin supply chain, including data sources.
  7. Set rate and resource limits to prevent unbounded consumption and cost abuse.
  8. Map each risk to a control, an owner, and a test.

Several risks deserve special attention in agentic systems. Excessive agency, where a model is given more autonomy or tool access than the task requires, can turn a minor injection into a serious incident. Improper output handling, where model output is executed, rendered, or queried without validation, opens classic injection paths. Unbounded consumption, where there are no rate or resource limits, enables cost abuse and denial of service. Mapping each risk to a control, an owner, and a test is what turns the list from awareness into protection.

Common Mistakes Teams Make When Ignoring This Practice

  • Trusting model output enough to execute it without validation.
  • Giving agents excessive permissions and tool access.
  • Exposing system prompts that reveal secrets or logic.
  • No limits on requests, enabling cost and denial-of-service abuse.
  • Ignoring poisoning risks in training or retrieval data.

Tools and Techniques That Support This Practice

  • Guidance: OWASP GenAI Security Project resources and cheat sheets.
  • Controls: input/output guardrails, content filters, least-privilege tooling.
  • Testing: AI red teaming, dependency and supply chain scanning.

How This Practice Applies to Different Migration Types

  • Cloud Migration: Constrain an AI assistant so injected text cannot trigger destructive infra actions.
  • Database Migration: Prevent sensitive-record disclosure through model-driven queries.
  • SaaS Migration: Treat third-party content as a prompt injection vector in integrations.
  • Codebase Migration: Validate AI-generated code before it touches the supply chain.

Checklist

  • All ten risks mapped to the architecture
  • Prompt injection defenses in place
  • Output handling controls added
  • Agent permissions scoped to least privilege
  • Sensitive data redaction and access control set
  • Supply chain and data sources vetted
  • Rate and resource limits enforced