MITRE has released its annual Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list for 2025, identifying the most critical vulnerabilities affecting software development worldwide.
The comprehensive analysis draws from over 39,080 CVE records, providing security professionals and developers with actionable intelligence to strengthen their defenses.
MITRE 2025 list reveals significant shifts in the vulnerability landscape. Cross-site Scripting (XSS) remains the most prevalent weakness.
At the same time, SQL Injection rises one rank to number two, underscoring the persistent threat of injection-based attacks.
Notably, this year is Missing Authorization, jumping five positions to rank fourth, reflecting growing concerns about inadequate access controls in modern applications.
Memory safety vulnerabilities continue to pose substantial risks, with Out-of-bounds Write, use-after-free, Out-of-bounds Read, and various buffer overflow types collectively dominating the list.
These memory-related weaknesses enable attackers to compromise system integrity and facilitate the complete theft of data.
OS Command Injection (rank 9) leads with 20 Known Exploited Vulnerabilities entries, making it the most actively exploited weakness in the wild.
Authentication and authorization failures gain prominence in 2025. Beyond Missing Authorization, Missing Authentication for Critical Functions ranks 21st with 11 KEV entries, signaling a critical gap in securing sensitive operations.
Authorization Bypass Through User-Controlled Key debuts in the top 25 at rank 24, highlighting emerging attack vectors that exploit flawed permission mechanisms.
The data reveals strategic insights for organizations. Out-of-bounds Read declined from rank six to eight despite remaining common.
At the same time, Improper Input Validation dropped significantly from rank 12 to 18, suggesting improved awareness in foundational validation practices.
However, newly emerging weaknesses, such as Classic Buffer Overflow and Heap-based Buffer Overflow, highlight persistent memory safety challenges.
| Rank | CWE ID | Weakness | CVEs in KEV | Previous Rank |
|---|---|---|---|---|
| 1 | 79 | Cross-site Scripting (XSS) | 7 | 1 |
| 2 | 89 | SQL Injection | 4 | 3 ↑1 |
| 3 | 352 | Cross-Site Request Forgery (CSRF) | 0 | 4 ↑1 |
| 4 | 862 | Missing Authorization | 0 | 9 ↑5 |
| 5 | 787 | Out-of-bounds Write | 12 | 2 ↓3 |
| 6 | 22 | Path Traversal | 10 | 5 ↓1 |
| 7 | 416 | Use After Free | 14 | 8 ↑1 |
| 8 | 125 | Out-of-bounds Read | 3 | 6 ↓2 |
| 9 | 78 | OS Command Injection | 20 | 7 ↓2 |
| 10 | 94 | Code Injection | 7 | 11 ↑1 |
| 11 | 120 | Classic Buffer Overflow | 0 | N/A |
| 12 | 434 | Unrestricted File Upload | 4 | 10 ↓2 |
| 13 | 476 | NULL Pointer Dereference | 0 | 21 ↑8 |
| 14 | 121 | Stack-based Buffer Overflow | 4 | N/A |
| 15 | 502 | Deserialization of Untrusted Data | 11 | 16 ↑1 |
| 16 | 122 | Heap-based Buffer Overflow | 6 | N/A |
| 17 | 863 | Incorrect Authorization | 4 | 18 ↑1 |
| 18 | 20 | Improper Input Validation | 2 | 12 ↓6 |
| 19 | 284 | Improper Access Control | 1 | N/A |
| 20 | 200 | Exposure of Sensitive Information | 1 | 17 ↓3 |
| 21 | 306 | Missing Authentication | 11 | 25 ↑4 |
| 22 | 918 | Server-Side Request Forgery (SSRF) | 0 | 19 ↓3 |
| 23 | 77 | Command Injection | 2 | 13 ↓10 |
| 24 | 639 | Authorization Bypass (User-Controlled Key) | 0 | 30 ↑6 |
| 25 | 770 | Resource Allocation Without Limits | 0 | 26 ↑1 |
MITRE emphasizes that this list serves as a strategic guide for reducing vulnerabilities, achieving cost savings, conducting trend analysis, and assessing exploitability.
By understanding these root causes, organizations can implement targeted security investments, refine software development lifecycles, and eliminate entire classes of vulnerabilities before deployment.
The 2025 CWE Top 25 enables developers and security teams to prioritize remediation efforts effectively, directing resources toward addressing the weaknesses most likely to create exploitable vulnerabilities in production environments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.