MITRE has unveiled its 2025 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list, highlighting the root causes behind 39,080 Common Vulnerability and Exposure (CVE) records this year.
These prevalent flaws, which are often simple to detect and exploit, enable attackers to seize system control, pilfer sensitive data, or cripple applications.
Developers, security teams, and executives now have a roadmap to prioritize fixes and reshape software development lifecycles (SDLC).
The annual ranking, based on real-world CVE data, has become increasingly relevant amid escalating cyber threats.
Injection flaws and memory corruption remain dominant, but shifts reveal evolving risks. Cross-site scripting (CWE-79) remains at the top despite slipping from last year’s lead, with seven Known Exploited Vulnerabilities (KEVs).
OS Command Injection (CWE-78) remains a high-impact threat, boasting 20 KEVs.
This list drives action across sectors:
- Vulnerability Reduction: Pinpoints root causes like memory safety bugs, guiding SDLC improvements.
- Cost Savings: Fewer flaws mean less post-release patching.
- Trend Analysis: Tracks rises in authorization bypasses amid cloud expansions.
- Exploitability Prioritization: KEV counts flag immediate dangers.
- Customer Trust: Public commitments to fixes build confidence.
Newcomers like Classic Buffer Overflow (CWE-120) and Improper Access Control (CWE-284) signal memory and auth gaps in legacy codebases.
2025 CWE Top 25 Summary
| Rank | CWE ID & Name | CVEs in KEV | Rank Last Year |
|---|---|---|---|
| 1 | CWE-79: Cross-site Scripting | 7 | 1 |
| 2 | CWE-89: SQL Injection | 4 | 3 (↑1) |
| 3 | CWE-352: CSRF | 0 | 4 (↑1) |
| 4 | CWE-862: Missing Authorization | 0 | 9 (↑5) |
| 5 | CWE-787: Out-of-bounds Write | 12 | 2 (↓3) |
| 6 | CWE-22: Path Traversal | 10 | 5 (↓1) |
| 7 | CWE-416: Use After Free | 14 | 8 (↑1) |
| 8 | CWE-125: Out-of-bounds Read | 3 | 6 (↓2) |
| 9 | CWE-78: OS Command Injection | 20 | 7 (↓2) |
| 10 | CWE-94: Code Injection | 7 | 11 (↑1) |
| 11 | CWE-120: Classic Buffer Overflow | 0 | N/A |
| 12 | CWE-434: Unrestricted File Upload | 4 | 10 (↓2) |
| 13 | CWE-476: NULL Pointer Dereference | 0 | 21 (↑8) |
| 14 | CWE-121: Stack-based Buffer Overflow | 4 | N/A |
| 15 | CWE-502: Deserialization of Untrusted Data | 11 | 16 (↑1) |
| 16 | CWE-122: Heap-based Buffer Overflow | 6 | N/A |
| 17 | CWE-863: Incorrect Authorization | 4 | 18 (↑1) |
| 18 | CWE-20: Improper Input Validation | 2 | 12 (↓6) |
| 19 | CWE-284: Improper Access Control | 1 | N/A |
| 20 | CWE-200: Exposure of Sensitive Information | 1 | 17 (↓3) |
| 21 | CWE-306: Missing Authentication | 11 | 25 (↑4) |
| 22 | CWE-918: SSRF | 0 | 19 (↓3) |
| 23 | CWE-77: Command Injection | 2 | 13 (↓10) |
| 24 | CWE-639: Authorization Bypass | 0 | 30 (↑6) |
| 25 | CWE-770: Resource Allocation Without Limits | 0 | 26 (↑1) |
Memory safety issues (e.g., buffer overflows) occur frequently, prompting the adoption of Rust or safer C++. Web apps face injection and auth woes, while KEV-heavy flaws like Use After Free demand zero-trust scrutiny.
Organizations should audit codebases against this list, integrate CWE checks into their CI/CD pipelines, and lobby vendors for transparency.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
