The Open Web Application Security Project (OWASP) has unveiled the 2025 edition of its flagship OWASP Top 10 2025, marking the eighth installment and introducing significant updates to address evolving software security threats.
Released on November 6, 2025, this revised version incorporates community survey input and expanded data analysis, highlighting two new categories while consolidating others to reflect root causes rather than symptoms better.
The list remains a critical resource for developers, security professionals, and organizations aiming to prioritize web application risks.
OWASP Top 10 2025 Key Changes
The 2025 Top 10 features two fresh entries: A03:2025 – Software Supply Chain Failures and A10:2025 – Mishandling of Exceptional Conditions.
The former expands on the 2021’s Vulnerable and Outdated Components, encompassing broader ecosystem risks like dependencies, build systems, and distribution infrastructure.
This category, which includes five Common Weakness Enumerations (CWEs), topped community concerns despite limited testing data, underscoring its high exploit and impact potential from CVEs.
A10:2025 introduces 24 CWEs focused on improper error handling, logical flaws, and insecure failure states, such as failing open during abnormal conditions.
Previously scattered under “poor code quality,” this category addresses how mishandled exceptions can expose sensitive data or enable denial-of-service attacks.
Meanwhile, A01:2021 – Server-Side Request Forgery (SSRF) has been merged into A01:2025 – Broken Access Control, which retains its top spot with 40 CWEs affecting 3.73% of tested applications on average.
Other shifts include A02:2025 – Security Misconfiguration rising to second place (from fifth in 2021), impacting 3.00% of apps due to growing configuration complexities.
A04:2025 – Cryptographic Failures dropped to fourth, while A05:2025 – Injection and A06:2025 – Insecure Design each fell two spots. Authentication Failures (A07) saw a name tweak for precision, and Logging & Alerting Failures (A09) emphasized actionable alerts over mere monitoring.
| Rank | Category Code | Name | Summary | Change from 2021 |
|---|---|---|---|---|
| 1 | A01:2025 | Broken Access Control | Flaws allowing attackers to bypass authorization or gain unauthorized access to data or functions. Includes 40 CWEs, affecting 3.73% of tested applications on average. | Maintains #1; SSRF (A10:2021) consolidated into this category. |
| 2 | A02:2025 | Security Misconfiguration | Weak default settings, exposed services, or inconsistent security controls across environments. Impacts 3.00% of applications. | Moved up from #5 due to increased configuration complexity. |
| 3 | A03:2025 | Software Supply Chain Failures | Vulnerabilities in dependencies, CI/CD systems, build processes, and distribution infrastructure. Covers 5 CWEs with high exploit scores. | New; expands A06:2021 Vulnerable and Outdated Components. |
| 4 | A04:2025 | Cryptographic Failures | Insecure or outdated encryption practices leading to sensitive data exposure or system compromise. Includes 32 CWEs, affecting 3.80% of apps. | Dropped from #2. |
| 5 | A05:2025 | Injection | Input validation flaws like SQL, OS command, or XSS injections. Associated with 38 CWEs and numerous CVEs. | Dropped from #3. |
| 6 | A06:2025 | Insecure Design | Risks from poor architectural decisions or inadequate threat modeling during design. | Dropped from #4; shows industry improvements in secure design. |
| 7 | A07:2025 | Authentication Failures | Issues in login, password policies, or session handling enabling unauthorized access. Covers 36 CWEs. | Maintains #7; renamed from Identification and Authentication Failures. |
| 8 | A08:2025 | Software or Data Integrity Failures | Failures to verify integrity of software, code, or data, allowing tampering. Focuses on lower-level trust boundaries. | Maintains #8; minor focus on integrity verification. |
| 9 | A09:2025 | Logging & Alerting Failures | Gaps in monitoring, logging, or alerting that let attacks go undetected. | Maintains #9; renamed to emphasize alerting over just logging. |
| 10 | A10:2025 | Mishandling of Exceptional Conditions | Improper error handling, logical flaws, or insecure failure states exposing data or causing DoS. Includes 24 CWEs. | New category; previously under poor code quality. |
A visual mapping diagram illustrates these evolutions, showing arrows from 2021 categories like SSRF and Vulnerable Components to their 2025 counterparts, with new additions branching out.
OWASP Top 10 2025 Classification Methodology
OWASP’s approach blends data from over 175,000 CVEs mapped to 643 CWEs, prioritizing prevalence over frequency, focusing on apps with at least one instance per CWE.
This edition analyzed 589 CWEs across categories, averaging 25 each, capped at 40 for practicality, to aid language-specific training. Community surveys elevated the visibility of underrepresented risks, balancing historical data with frontline insights from practitioners.
Exploitability and impact scores drawn from CVSS v2, v3, and v4, revealing shifts like higher impact weighting in newer versions. The result: a forward-looking list emphasizing systemic vulnerabilities in modern, cloud-native environments.
This update signals a maturing field, with improvements in areas like threat modeling evident in Insecure Design’s slide.
Challenges like access control issues, found in 9 out of 10 security tests, still require close attention. Organizations should include these in their DevSecOps processes, prioritizing supply chain checks and strong error handling.
As OWASP welcomes feedback until November 20, 2025, the final version is expected to be further refined before its full adoption in 2026.
This Top 10 list not only provides guidance for remediation but also promotes secure-by-design principles, helping organizations navigate an increasingly complex threat landscape.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
