Here is HackerOne’s perspective on the Top 10 list for LLM vulnerabilities, how the list has changed, and what solutions can help secure against these risks.
Browse by LLM vulnerability:
- Prompt Injection
- Sensitive Information Disclosure
- Supply Chain Vulnerabilities
- Data and Model Poisoning
- Improper Output Handling
- Excessive Agency
- System Prompt Leakage
- Vector and Embedding Weaknesses
- Misinformation
- Unbounded Consumption
The OWASP Top 10 for LLMs: 2024 vs. 2025
2024 |
Change |
2025 |
LLM01: Prompt Injection |
No change |
LLM01: Prompt Injection |
LLM02: Insecure Output Handling |
↓3 |
LLM02: Sensitive Information Disclosure |
LLM03: Training Data Poisoning |
↓1 |
LLM03: Supply Chain Vulnerabilities |
LLM04: Model Denial of Service |
✕ |
LLM04: Data and Model Poisoning |
LLM05: Supply Chain Vulnerabilities |
↑2 |
LLM05: Improper Output Handling |
LLM06: Sensitive Information Disclosure |
↑4 |
LLM06: Excessive Agency |
LLM07: Insecure Plugin Design |
✕ |
LLM07: System Prompt Leakage |
LLM08: Excessive Agency |
↑2 |
LLM08: Vector and Embedding Weaknesses |
LLM09: Overreliance |
✕ |
LLM09: Misinformation |
LLM10: Model Theft |
✕ |
LLM10: Unbounded Consumption |
LLM01: Prompt Injection
Position change: None
What Is Prompt Injection?
One of the most commonly discussed LLM vulnerabilities, Prompt Injection is a vulnerability during which an attacker manipulates the operation of a trusted LLM through crafted inputs, either directly or indirectly. For example, an attacker leverages an LLM to summarize a webpage containing a malicious and indirect prompt injection. The injection contains “forget all previous instructions” and new instructions to query private data stores, leading the LLM to disclose sensitive or private information.
Solutions to Prompt Injection
Several actions can contribute to preventing Prompt Injection vulnerabilities, including:
- Enforcing privilege control on LLM access to the backend system
- Segregating external content from user prompts
- Keeping humans in the loop for extensible functionality
LLM02: Sensitive Information Disclosure
Position change: ↑4
What Is Sensitive Information Disclosure?
Sensitive Information Disclosure is when LLMs inadvertently reveal confidential data. This can result in the exposing of proprietary algorithms, intellectual property, and private or personal information, leading to privacy violations and other security breaches. Sensitive Information Disclosure can be as simple as an unsuspecting legitimate user being exposed to other user data when interacting with the LLM application in a non-malicious manner. But it can also be more high-stakes, such as a user targeting a well-crafted set of prompts to bypass input filters from the LLM to cause it to reveal personally identifiable information (PII). Both scenarios are serious, and both are preventable.
Why the Move?
With the easy integration of LLMs into various systems (databases, internal issue trackers, files, etc.), the risk of sensitive information disclosure has increased significantly. Attackers can exploit these integrations by crafting specific prompts to extract sensitive data such as employee payrolls, Personally Identifiable Information (PII), health records, and confidential business data. Given the rapid adoption of LLMs in organizational workflows without adequate risk assessments, this issue has been elevated in importance.
Solutions to Sensitive Information Disclosure
To prevent sensitive information disclosure, organizations need to:
- Integrate adequate data input/output sanitization and scrubbing techniques
- Implement robust input validation and sanitization methods
- Practice the principle of least privilege when training models
- Leverage hacker-based adversarial testing to identify possible sensitive information disclosure issues
LLM03: Supply Chain Vulnerabilities
Position change: ↑2
What Are Supply Chain Vulnerabilities?
The supply chain in LLMs can be vulnerable, impacting the integrity of training data, Machine Learning (ML) models, and deployment platforms. Supply Chain Vulnerabilities in LLMs can lead to biased outcomes, security breaches, and even complete system failures. Traditionally, supply chain vulnerabilities are focused on third-party software components, but within the world of LLMs, the supply chain attack surface is extended through susceptible pre-trained models, poisoned training data supplied by third parties, and insecure plugin design.
Why the Move?
The demand for cost-effective and performant LLMs has led to a surge in the use of open-source models and third-party packages. However, many organizations fail to adequately vet these components, leaving them vulnerable to supply chain attacks. Using unverified models, outdated or deprecated packages, or compromised training data can introduce backdoors, biases, and other security flaws. Recognizing the importance of a secure supply chain in mitigating these risks and potential legal ramifications, this vulnerability has moved up the list.
Solutions to Supply Chain Vulnerabilities
Supply Chain Vulnerabilities in LLMs can be prevented and identified by:
- Carefully vetting data sources and suppliers
- Using only reputable plug-ins, scoped appropriately to your particular implementation and use cases
- Conducting sufficient monitoring, adversarial testing, and proper patch management
LLM04: Data and Model Poisoning
Position change: ↓1
What Is Data and Model Poisoning?
Training data poisoning refers to the manipulation of data or fine-tuning of processes that introduce vulnerabilities, backdoors, or biases and could compromise the model’s security, effectiveness, or ethical behavior. It’s considered an integrity attack because tampering with training data impacts the model’s ability to output correct predictions.
Solutions to Data and Mode Poisoning
Organizations can prevent Training Data Poisoning by:
- Verifying the supply chain of training data, the legitimacy of targeted training data, and the use case for the LLM and the integrated application
- Ensuring sufficient sandboxing to prevent the model from scraping unintended data sources
- Use strict vetting or input filters for specific training data or categories of data sources
LLM05: Improper Output Handling
Position change: ↓3
What Is Insecure Output Handling?
Insecure Output Handling occurs when an LLM output is accepted without scrutiny, potentially exposing backend systems. Since LLM-generated content can be controlled by prompt input, this behavior is similar to providing users indirect access to additional functionality, such as passing LLM output directly to backend, privileged, or client-side functions. This can, in some cases, lead to severe consequences like XSS, CSRF, SSRF, privilege escalation, or remote code execution.
Solutions to Improper Output Handling
There are three key ways to prevent Insecure Output Handling:
- Treating the model output as any other untrusted user content and validating inputs
- Encoding output coming from the model back to users to mitigate undesired code interpretations
- Pentesting to uncover insecure outputs and identify opportunities for more secure output
LLM06: Excessive Agency
Position change: ↑2
What Is Excessive Agency?
Excessive Agency is typically caused by excessive functionality, excessive permissions, and/or excessive autonomy. One or more of these factors enables damaging actions to be performed in response to unexpected or ambiguous outputs from an LLM. This takes place regardless of what is causing the LLM to malfunction — confabulation, prompt injection, poorly engineered prompts, etc. — and creates impacts across the confidentiality, integrity, and availability spectrum.
Solutions to Excessive Agency
To avoid the vulnerability of Excessive Agency, organizations should:
- Limit the tools, functions, and permissions to only the minimum necessary for the LLM
- Tightly scope functions, plugins, and APIs to avoid over-functionality
- Require human approval for major and sensitive actions, leverage an audit log
LLM07: System Prompt Leakage
Position change: New
What Is System Prompt Leakage?
This new entry reflects the growing awareness of the risks associated with embedding sensitive information within system prompts. System prompts, designed to guide LLM behavior, can inadvertently leak secrets if not carefully constructed. Attackers can exploit this leaked information to facilitate further attacks.
Solutions to System Prompt Leakage
There are many methods to prevent System Prompt Leakage, including:
- Never embed sensitive data in system prompts
- Implement guardrails
- Avoid relying on system prompts for strict behavior control
LLM08: Vector and Embedding Weaknesses
Position change: New
What Is Vector and Embedding Weaknesses?
LLMs rely on vector embeddings to represent and process information. Weaknesses in how these vectors are generated, stored, or retrieved can be exploited to inject harmful content, manipulate model outputs, or access sensitive data. This can lead to unauthorized access, data leakage, embedding inversion attacks, data poisoning, and behavior alteration.
Solutions to Vector and Embedding Weaknesses
Some key ways to prevent Vector and Embedding Weaknesses include:
- Implement granular access controls
- Implement robust data validation pipelines for knowledge sources
- Classify data within the knowledge base to control access levels and prevent data mismatch errors
LLM09: Misinformation
Position change: New
What Is Misinformation?
This category replaces “Overreliance” and addresses the potential for LLMs to generate and disseminate factually incorrect or misleading information. While overreliance contributes to this problem, the focus shifts to the active generation of misinformation, commonly referred to as hallucinations or confabulations.
Solutions to Misinformation
Here are some of the most important methods for preventing Misinformation:
- Always cross-check LLM outputs against trusted external sources
- Break down complex tasks into smaller, manageable subtasks to reduce the likelihood of hallucinations
- Improve output quality through fine-tuning, embedding augmentation, or other techniques
LLM10: Unbounded Consumption
Position change: New
What Is Unbounded Consumption?
This new entry encompasses the risks associated with excessive resource consumption during LLM inference, including computational resources, memory, and API calls. This can lead to denial-of-service conditions, increased costs, and potential performance degradation. Model theft and Model Denial of Service, previously a separate entry, is now considered a subset of this broader category.
Solutions to Unbounded Consumption
There are several key methods to prevent Unbounded Consumption, including:
- Sanitize and validate user inputs to prevent malicious or overly complex queries
- Implement rate-limiting mechanisms to control the number of requests an LLM can process within a given timeframe
- Restrict access to LLM APIs and resources based on user roles and permissions.
- Train models to be resistant to adversarial inputs
- Use Sandbox Techniques restricting the LLM’s access to network resources, internal services, and APIs
Securing the Future of LLMs
This new release by the OWASP Foundation enables organizations looking to adopt LLM technology (or recently did so) to guard against common pitfalls. In many cases, organizations simply are unable to catch every vulnerability. HackerOne is committed to helping organizations secure their LLM applications and to staying at the forefront of security trends and challenges.
HackerOne’s solutions are effective at identifying vulnerabilities and risks that stem from weak or poor LLM implementations. Conduct continuous adversarial testing through Bug Bounty, targeted hacker-based testing with Challenge, or comprehensively assess an entire application with Pentest or Code Security Audit.
Contact us today to learn more about how we can help secure your LLM and secure against LLM vulnerabilities.