The OWASP Top 10 is the definitive benchmark for web application security. The 2025 release brings the most significant changes in years: two entirely new vulnerability categories and major ranking shifts that reflect how modern attacks have evolved.
These changes aren’t academic—they shape security policies, penetration testing requirements, and development practices across the industry. Understanding what changed helps security teams prioritise resources and protect what matters most.
The Headline Changes
The 2025 release from OWASP introduces two entirely new categories and reshuffles the rankings based on analysis of 589 Common Weakness Enumerations (CWEs), up from roughly 400 in 2021. Here’s the complete list:
| Rank | Category | Change from 2021 |
|---|---|---|
| A01 | Broken Access Control | Stable at #1 |
| A02 | Security Misconfiguration | Up from #5 |
| A03 | Software Supply Chain Failures | NEW |
| A04 | Cryptographic Failures | Down from #2 |
| A05 | Injection | Down from #3 |
| A06 | Insecure Design | Down from #4 |
| A07 | Authentication Failures | Stable (renamed) |
| A08 | Software or Data Integrity Failures | Stable |
| A09 | Security Logging and Alerting Failures | Stable |
| A10 | Mishandling of Exceptional Conditions | NEW |
Two categories disappeared from the explicit list: Server-Side Request Forgery (SSRF) has been consolidated into Broken Access Control, and Vulnerable and Outdated Components has been expanded and elevated to the new Supply Chain Failures category.
What’s New: Supply Chain Failures (A03)
The elevation of supply chain security from a component-focused concern to a full category reflects the reality that modern applications are assemblies of external code. When we assess applications at BSG, we routinely find that 80-90% of the codebase comes from dependencies.
This category encompasses:
- Compromised dependencies and packages
- Build system vulnerabilities
- Malicious maintainer attacks
- Distribution infrastructure compromises
- Typosquatting on package registries
The attacks that drove this change are well-known: SolarWinds (2020), Codecov (2021), the ua-parser-js npm hijacking (2021), and the xz Utils backdoor (2024). Each demonstrated that attackers increasingly target the software supply chain rather than the application directly.
What this means for your team: Dependency scanning is no longer optional. You need Software Composition Analysis (SCA) in your pipeline, pinned dependency versions, and a process for evaluating new packages before adoption. Consider maintaining a Software Bill of Materials (SBOM) for your applications. Our secure development training covers supply chain security best practices.
What’s New: Mishandling of Exceptional Conditions (A10)
This category addresses a class of vulnerabilities that’s been lurking in the shadows: what happens when things go wrong? It covers 24 CWEs related to:
- Improper error handling that reveals sensitive information
- Logical errors when processing unexpected inputs
- “Fail open” scenarios where security controls bypass on error
- Uncaught exceptions that leave applications in insecure states
- Resource exhaustion through unhandled edge cases
These aren’t the dramatic vulnerabilities that make headlines, but they’re the ones that let attackers pivot from a minor bug to a full compromise. An application that crashes gracefully might restart. One that fails open might grant administrative access.
What this means for your team: Review your error handling paths with security in mind. Test what happens when external services are unavailable, when inputs are malformed, and when resources are exhausted. Ensure your application fails closed—denying access when in doubt rather than granting it.
Major Ranking Changes in OWASP 2025
Security Misconfiguration: #5 to #2
This jump reflects a fundamental truth: as applications move to cloud infrastructure, configuration complexity has exploded. Default credentials, overly permissive CORS policies, exposed debugging endpoints, unnecessary features enabled—these aren’t exotic vulnerabilities, but they’re everywhere.
Cloud misconfigurations are particularly prevalent. S3 buckets with public access, overly permissive IAM roles, and exposed management interfaces appear in nearly every cloud security assessment we conduct.
Cryptographic Failures: #2 to #4
The relative decline doesn’t mean cryptographic issues have been solved—it reflects that other categories have become more prevalent in the data. Organisations still struggle with:
- Weak or deprecated algorithms
- Improper key management
- Missing encryption for sensitive data in transit and at rest
- Cryptographic implementation flaws
Injection: #3 to #5
SQL injection was once the poster child of web application security. Its decline in the rankings reflects genuine progress: parameterised queries are now the default in most frameworks, and developers are more aware of the risk. However, injection hasn’t disappeared—it’s evolved. NoSQL injection, LDAP injection, and expression language injection remain active threats.
Category-by-Category Analysis
A01: Broken Access Control (Stable)
Broken access control has held the top position since 2021, and for good reason. It encompasses:
- Insecure direct object references (IDOR)
- Missing function-level access controls
- Privilege escalation vulnerabilities
- CORS misconfigurations
- Server-Side Request Forgery (SSRF)—now consolidated here
This category appears in 94% of applications tested according to OWASP’s data. Every application makes access control decisions, and getting them wrong is easy.
A07: Authentication Failures (Renamed)
Previously “Identification and Authentication Failures,” the simplified name better reflects the 36 CWEs in this category. It covers:
- Credential stuffing attacks
- Weak password policies
- Session management flaws
- Multi-factor authentication bypasses
- Account enumeration
A09: Security Logging and Alerting Failures
This category covers the detective controls that enable organisations to identify and respond to attacks. Without proper logging:
- Breaches go undetected for months
- Forensic investigation is impossible
- Compliance requirements cannot be met
- Attack patterns cannot be identified
What OWASP Top 10 2025 Means for Your Security Team
The 2025 update suggests several shifts in security priorities:
1. Shift left on supply chain: Your CI/CD pipeline needs dependency scanning before code reaches production. Audit your build process—where do binaries come from? Who has push access to your package repositories?
2. Test the unhappy paths: Security testing often focuses on valid inputs. The rise of “Exceptional Conditions” as a category suggests testers need to examine what happens when systems fail.
3. Configuration as code, configuration as risk: With misconfiguration rising to #2, infrastructure-as-code repositories need the same security review as application code. Default-deny policies should be the baseline, whether you’re securing web applications or cloud infrastructure.
4. Access control requires design: You can’t bolt on access control after the fact. The persistence of Broken Access Control at #1 indicates that organisations need to design access control into their architectures from the start.
Application Security Testing for OWASP Top 10 2025
Our application security testing methodology covers all OWASP Top 10 categories, with particular focus on the logic flaws that automated scanners miss. For the 2025 categories specifically:
Supply Chain Assessment: We analyse your dependency tree, identify outdated or vulnerable components, and assess your build pipeline for compromise opportunities.
Access Control Testing: We systematically test authorisation boundaries, looking for privilege escalation paths and IDOR vulnerabilities that require business logic understanding.
Error Handling Analysis: We probe edge cases, malformed inputs, and failure scenarios to identify where applications might fail open or leak sensitive information.
The OWASP Top 10 provides a framework, but real security requires testing that goes beyond checkbox compliance to understand how your specific application can be compromised.
AI and LLM Applications: A New Frontier
For organisations building or integrating AI-powered features, the traditional OWASP Top 10 is only part of the picture. OWASP has released a separate Top 10 for LLM Applications, addressing risks specific to generative AI systems like prompt injection, training data poisoning, and excessive agency.
If your application incorporates large language models, you’ll need to consider both lists.
FAQ
What is the OWASP Top 10?
The OWASP Top 10 is a standard awareness document representing the most critical security risks to web applications. Published by the Open Web Application Security Project (OWASP), it’s updated periodically based on data from security assessments worldwide and serves as a baseline for application security testing.
How often is the OWASP Top 10 updated?
The OWASP Top 10 is typically updated every 3-4 years. The 2025 version follows the 2021 release, with previous versions in 2017, 2013, and 2010. Updates incorporate new vulnerability data, emerging attack techniques, and community feedback.
What happened to SSRF in the 2025 list?
Server-Side Request Forgery (SSRF), which was A10 in 2021, has been consolidated into A01: Broken Access Control in 2025. This reflects SSRF’s nature as an access control bypass rather than a distinct vulnerability category.
Is the OWASP Top 10 a compliance requirement?
The OWASP Top 10 isn’t a compliance standard itself, but it’s referenced by numerous regulations and standards including PCI DSS, SOC 2, and various industry guidelines. Many organisations use it as a minimum baseline for security testing requirements.
How does OWASP Top 10 2025 differ from 2021?
The 2025 release adds two new categories (Software Supply Chain Failures at A03, Mishandling of Exceptional Conditions at A10), consolidates SSRF into Broken Access Control, and elevates Security Misconfiguration from #5 to #2. It also analyses significantly more CWEs (589 vs approximately 400).
Conclusion
The OWASP Top 10 2025 reflects where the industry is actually failing to secure applications. Supply chain attacks have moved from theoretical to catastrophic. Misconfigurations in cloud environments create attack surface at scale. And the edge cases—the exceptional conditions—are where sophisticated attackers find their footholds.
Use this update as an opportunity to reassess your security priorities. The categories that dropped in ranking haven’t become less important; rather, the landscape has evolved to present new challenges alongside persistent ones.
For organisations serious about application security, the OWASP Top 10 is a starting point, not a destination. Understanding how these vulnerabilities manifest in your specific applications requires expert security testing that goes beyond automated scanning.
—
BSG provides comprehensive application security testing covering all OWASP Top 10 categories and beyond. Our team combines automated scanning with manual testing to identify the business logic flaws and chained vulnerabilities that automated tools miss.