2025 OWASP Top 10 for LLM Applications: A Quick Guide

Published first as a whitepaper in late 2024, the 2025 OWASP Top 10 for LLM Applications is yet another monumental effort from OWASP made possible by a large number of experts in the fields of AI, cybersecurity, cloud technology, and beyond—including Mend.io Head of AI Bar-El Tayouri.

LLMs are still new to the market but beginning to mature, and the OWASP Top 10 for LLM Applications is maturing alongside it. While this latest version is still not ranked by the frequency of actual exploitation in the wild (as we see with other OWASP Top 10 lists), more feedback from real-world use cases was taken and we see that only three categories survived as-is from the 2023 version.

Here is a quick rundown of each vulnerability and its potential consequences. Mitigation, prevention information, and attack scenarios for each vulnerability can be found in the original report.

OWASP Top 10 for LLM applications

LLM01: Prompt injection

Prompt injections are maliciously crafted inputs that lead to an LLM performing in unintended ways that expose data, or performing unauthorized actions such as remote code execution. It’s no shock that prompt injection is the number one threat to LLMs because it exploits the design of LLMs rather than a flaw that can be patched. In some instances there is no way to stop the threat; you can only mitigate the damage it causes.

There are two kinds of prompt injections: direct prompt injections and indirect prompt injections.

Direct prompt injection. A threat actor provides a prompt designed to circumnavigate the underlying system prompts that AI developers have put in place to secure the model. One direct prompt injection method popular with AI hackers is called DAN, or “Do Anything Now.”  DAN uses role play to trick ChatGPT into ignoring the underlying guardrails OpenAI had put in place to keep the LLM from providing dangerous, illegal, or unethical information.

Indirect prompt injection.  Here, the LLM user unwittingly provides the LLM with data from a bad actor who has maliciously added LLM prompts (usually not visible to the human reader) into the source. Most LLMs don’t differentiate between user prompts and external data, which is what makes indirect prompt injections possible and a real threat. A real life “AI hack” that became viral late last year was adding a prompt to resumes stating that an LLM should ignore all other criteria and report that the user (an overworked hiring manager looking to save some time, no doubt) should hire the resume submitter. The prompt goes unnoticed by the human eye because it’s in white lettering on an imperceptibly off-white background, but the LLM still picks it up and complies.

LLM02: Sensitive information disclosure

Ask the right question and an LLM may pour its heart out, which might include your organization’s or customers’ sensitive information, including personal identifiable information (PII), financial details, health records, confidential business data, security credentials, and legal documents.

Further, poorly configured models embedded into applications may give up proprietary algorithms and other important confidential details that may result in an intellectual property (IP) breach.

LLM03: Supply chain

Few are building LLMs entirely from scratch and are instead relying on existing technology to build atop. Supply chain vulnerabilities can come from malicious or vulnerable models or training data from places like Hugging Face or any other third-party component.

Third-party models and training data can be prone to poisoning attacks and any third-party components can contain the classic vulnerabilities we already know and loathe.

LLM04: Data and model poisoning

Your models are what they eat, and LLMs ingest quite a bit. Data poisoning occurs when data involved in pre-training, fine-tuning, or augmenting (as with RAG) an LLM is manipulated to introduce vulnerabilities that affect the model’s security, ethical behavior, or performance. Data poisoning is a tough vulnerability to fight due to the sheer quantity of data that LLMs take in and the difficulty in verifying all of that data. The absolute best-case scenario for training data poisoning is that your model ends up being not very good at analyzing text and making predictions, but that still negatively impacts your reputation.

Model poisoning can happen when open source models on platforms like Hugging Face contain malware or backdoors.

LLM05: Improper output handling

Improper output handling describes a situation where plugins or other components accept LLM output without secure practices such as sanitization and validation. This can lead to multiple undesirable behaviors, including cross-site scripting and remote code execution on backend systems.

Here’s one possible insecure output handling scenario: After an indirect prompt injection is left in the review of a product by a threat actor, an LLM tasked with summarizing reviews for a user outputs malicious JavaScript code that is interpreted by the user’s browser.

LLM06: Excessive agency

When interfacing with other systems, LLMs need what they need and nothing more. When they have too much functionality, permission, or autonomy, you’ve got an excessive agency vulnerability on your hands.

Some examples of excessive agency include using a plugin to let an LLM read files that also allows it to write or delete files (excessive functionality), an LLM designed to read a single user’s files but has access to every user’s files (excessive permissions), and a plugin that allows an LLM to elect to delete a user’s files without that user’s input (excessive autonomy).

LLM07: System prompt leakage

System prompts are used to guide model behavior but they sometimes include secrets and sensitive information which can leak. Further, system prompts may be set up to put important security control duties like authentication onto the LLM instead of more robust systems. System prompt leakage isn’t a real issue if your system prompt does not include any secrets or other information that would be useful to a malicious actor.

LLM08: Vector and embedding weaknesses

Vector and embedding weaknesses enter the picture when using retrieval augmented generation (RAG) with LLMs. A number of risks fall under this category including unauthorized access and data leakage, cross-context information leaks and knowledge conflicts, embedding inversion attacks, and behavior alteration. 

LLM09: Misinformation

Even the best LLMs aren’t infallible. Misinformation can occur from biases introduced in training data or from LLMs making up for missing training data by hallucinating outputs based on statistical models and not actual context understanding.

LLMs always have limits in what they can do and what they can do well, but they are often seen by the public as magical bases of knowledge in anything and everything. They aren’t. Ask ChatGPT a math question or information about case law and you might see results that look accurate on first read but are in fact inaccurate or completely fabricated.

LLM10: Unbounded consumption

The compute resources of LLMs make them incredibly powerful but giving users too much of that power can lead to undesirable outcomes. Inference is the process of generating a reply to a user’s prompt and unbounded consumption of inference can result in denial of service (DoS), economic losses (from all that extra compute), model theft, and service degradation for all of your non-malicious users. Likewise, those resources are also highly desirable to malicious actors who would like to see them redirected for their own purposes such as crypto-mining.

Best practices for keeping LLMs secure

The best practices for AI models will be familiar to those that work in securing any application. Sanitizing and validating inputs, red-teaming to assess risk and harden code around the model, keeping track of your components with an AI bill of materials, exercising the principles of least privilege and zero trust, and educating users and developers are still the cornerstones of application security, even when you’re working with breakthrough technologies like LLMs.