The Open Worldwide Application Security Project (OWASP®) has released the much-anticipated 2025 update to its OWASP LLM Top 10, providing critical guidance for securing large language model (LLM) applications. With generative AI (GenAI) and LLM systems transforming industries, this resource addresses evolving risks, offers practical mitigations, and anchors security efforts in real-world incidents and research. Here's an in-depth look at what this update offers and why it’s pivotal for developers, researchers, and enterprises working with LLMs.

What Is the OWASP LLM Top 10?

The OWASP LLM Top 10 is a community-driven initiative designed to identify and address the top security risks associated with large language models. This list is essential for developers and organizations integrating AI into their workflows, as it highlights potential vulnerabilities and suggests actionable mitigation strategies.

With the explosion of Retrieval-Augmented Generation (RAG), agentic architectures, and complex prompt engineering, the 2025 update ensures the LLM security landscape is ready for what lies ahead.

Highlights of the 2025 OWASP LLM Top 10 Update

1. Broader Contributions and Updated Risks

The updated risks reflect a global effort, incorporating insights from researchers, practitioners, and real-world deployments. This ensures a holistic perspective on emerging LLM vulnerabilities.

2. Focus on Retrieval-Augmented Generation (RAG) Security

RAG, which combines LLMs with external data retrieval systems, introduces unique attack vectors such as poisoning retrieved datasets or exploiting weak retrieval pipelines. OWASP’s update provides concrete recommendations to secure these pipelines and ensure robust integration.

3. Expanded Coverage of Prompt-Based Risks

Prompt engineering remains a cornerstone of LLM interaction, but it is fraught with risks:

• Prompt Injection: Attackers manipulate inputs to execute unintended actions.
• System Prompt Leakage: Sensitive configurations and instructions embedded in prompts may inadvertently be exposed.

Mitigation strategies in this update focus on robust prompt validation, sanitization, and contextual compartmentalization to minimize exposure.

4. Addressing "Excessive Agency" in Agentic AI

Agentic AI systems, which autonomously execute tasks or interact with external environments, introduce a higher degree of complexity and risk. These systems are susceptible to:

• Unintended Task Execution: Exploiting agents to perform harmful or unintended actions.
• Escalation of Privileges: Compromising the autonomy of AI agents to access higher-level functions.

OWASP emphasizes limiting agent permissions and implementing real-time monitoring of agent behavior to prevent misuse.

5. Rich References and Crosswalks to MITRE’s ATLAS Framework

The update includes an extensive library of references, covering academic research, publications, and case studies. The risks are also mapped to MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATLAS), enabling practitioners to leverage existing frameworks for threat modeling and mitigation.

The 2025 OWASP LLM Top 10 Risks

1. Prompt Injection

Risk: Attackers manipulate user inputs to control the model's behavior, potentially generating malicious outputs or bypassing restrictions.

Example: Instructing an LLM to ignore safety filters and execute harmful commands by crafting misleading prompts.

Mitigation:

• Validate and sanitize all user inputs.
• Use sandboxing techniques to isolate LLM interactions.
• Limit the model's actions based on its role and context.

2. Sensitive Information Disclosure

Risk: LLMs may inadvertently expose confidential data embedded in training sets or shared during interactions.

Example: Users extracting sensitive internal information (e.g., API keys or credentials) through crafted queries.

Mitigation:

• Train models on sanitized datasets.
• Implement access controls and audit logs to monitor interactions.
• Use differential privacy techniques to minimize sensitive data leakage.

3. Supply Chain Risks

Risk: Third-party dependencies or pre-trained models may introduce vulnerabilities into LLM applications.

Example: Incorporating a compromised pre-trained model with backdoors or malicious code.

Mitigation:

• Verify the integrity of third-party components.
• Use cryptographic signatures to ensure trusted updates.
• Regularly scan dependencies for vulnerabilities.

4. Data and Model Poisoning

Risk: Malicious actors manipulate training or fine-tuning data to bias the model or introduce harmful behavior.

Example: Poisoning a training set to skew LLM responses or embed specific attack patterns.

Mitigation:

• Perform rigorous data validation and anomaly detection.
• Use adversarial testing to identify vulnerabilities.
• Train models in controlled environments with trusted datasets.

5. Improper Output Handling

Risk: Unfiltered model outputs may include harmful, biased, or misleading information.

Example: LLMs providing offensive or inaccurate content due to unregulated post-processing.

Mitigation:

• Implement output moderation systems.
• Use post-processing layers to filter and validate generated content.
• Provide disclaimers for AI-generated outputs.

6. Excessive Agency

Risk: Agentic LLMs—systems with autonomous decision-making capabilities—can perform unintended or harmful actions.

Example: An LLM autonomously executing financial transactions without proper safeguards.

Mitigation:

• Restrict agent permissions to necessary functions.
• Monitor and log all autonomous actions for review.
• Set strict boundaries for task execution and revoke access if anomalies are detected.

7. System Prompt Leakage

Risk: Attackers uncover embedded system prompts, exposing sensitive configurations or enabling bypasses.

Example: Extracting hidden prompts that govern LLM behavior to manipulate the system.

Mitigation:

• Encrypt system-level prompts.
• Compartmentalize and obfuscate sensitive prompt information.
• Validate responses to ensure no unintentional leakage.

8. Vector and Embedding Weaknesses

Risk: Exploiting weaknesses in vector representations or embeddings used for understanding context or retrieval.

Example: Adversarial inputs designed to cause incorrect interpretations or retrieval results.

Mitigation:

• Use robust embedding validation techniques.
• Regularly test embeddings against adversarial scenarios.
• Secure vector stores and retrieval pipelines.

9. Misinformation

Risk: LLMs generating or amplifying false or misleading information, eroding user trust and causing harm.

Example: An LLM providing inaccurate medical advice or biased opinions.

Mitigation:

• Train models on high-quality, verified datasets.
• Employ real-time fact-checking mechanisms.
• Incorporate disclaimers to highlight the potential for inaccuracies.

10. Unbounded Consumption

Risk: Excessive resource usage, such as high API calls or memory consumption, leading to denial of service or system degradation.

Example: A malicious user flooding the system with requests to overload resources.

Mitigation:

• Enforce rate limiting and quota policies.
• Monitor usage patterns for anomalies.
• Deploy scalable infrastructure to handle unexpected spikes in demand.

Why the OWASP LLM Top 10 Matters

For Developers

This list provides actionable guidance to build secure LLM applications, integrating mitigations from the design phase.

For Organizations

With LLMs increasingly handling critical business functions, addressing these risks minimizes legal, financial, and reputational damage.

For Researchers and Practitioners

The list serves as a foundation for studying and addressing LLM vulnerabilities, fostering collaboration between academia and industry.

Conclusion

The 2025 OWASP LLM Top 10 reflects the evolving challenges in securing LLM applications amidst rapid technological advancements. By understanding and addressing these risks, stakeholders can harness the full potential of LLMs while maintaining robust security and trust.

As generative AI shapes the future, proactive measures will ensure that this revolution remains both innovative and secure. Are you prepared to safeguard the next wave of AI systems?

‍

SecOps Solution is a Full-stack Patch and Vulnerability Management Platform that helps organizations identify, prioritize, and remediate security vulnerabilities and misconfigurations in seconds.‍

‍To learn more, get in touch.