Software supply chain failures and mishandling of exceptional conditions are some of the additions to the updated OWASP Top 10, a list of top web application vulnerabilities.
Most of the list has remained unchanged since 2021. In fact, the top item, broken access control, has been on the Open Worldwide Application Security Project’s list since it was first released in 2003.
“Everyone tries to craft their own authentication and access control mechanisms,” says Jeff Williams, CTO and cofounder at Contrast Security. Williams created the list and served as the chair of the OWASP board for eight years.
There are standard mechanisms out there, but most applications have specialized needs, he says. “I’ve seen some really god-awful horrific machines that people have built to do access control checks, and they don’t build them elegantly. They build them piece by piece. ‘Oh, we’re building this function, we need to do an access check’ — and they build their own access check. And almost nobody tests access control.”
A typical web application may have a hundred endpoints, Williams says, each one of which can be accessed by a number of different roles. “Now you have to make sure that each of those routes work in each of those roles. Most people do a scan of their application with one role in mind, like that of a normal user. And maybe with an admin user. But there could be twenty different roles, so it’s very difficult to verify.”
AI didn’t make the top ten list, but it was included in a “next steps” section of issues on the cusp of inclusion, in addition to a lack of application resilience and memory management failures.
This AI category is titled: X03:2025 Inappropriate Trust in AI Generated Code (‘Vibe Coding’).
“Although we didn’t have data to support the fact that AI-generated code is causing significantly more risk than human-written code available, thanks to community feedback, professional experience, and constant online sharing of such data, we felt it prudent to add a section,” says Tanya Janca, lead author of the OWASP Top 10.
Developers should read and fully understand AI-generated code before committing it, she says.
The OWASP Top 10 list is based on a combination of security data from a dozen different organizations, covering nearly 3 million applications, as well as a survey of 221 security experts, says security metrics expert Aram Hovsepyan, CEO at Codific and an OWASP contributing member.
Here are the top 10:
1 – Broken access control
When applications fail to properly enforce restrictions on what authenticated users are allowed to do, allowing attackers to access unauthorized functionality or data. For example, an attacker might manipulate an URL parameter to access another user’s account information or escalate their privileges from a regular user to an administrator. This item now includes server-side request forgery, which was its own list item in 2021.
2 – Security misconfiguration
Security settings are not properly defined, implemented, or maintained, leaving systems exposed to attack. Common examples include default credentials that are never changed, unnecessary features left enabled, verbose error messages that reveal sensitive information, or cloud storage buckets left publicly accessible. This vulnerability jumped from fifth place in 2021 to second place in 2025.
3 – Software supply chain failures
Attackers compromise software during the build, distribution or updates to inject malicious code that gets distributed to multiple organizations. For example, attackers might compromise a popular open-source library and inject malicious code that then gets incorporated into thousands of applications that depend on it or breach a vendor’s system to insert backdoors into legitimate software updates. This is a new list item, though there was a narrower related item in 2021 — vulnerable and outdated components.
“Developers have become a primary target for many online attacks now,” says Janca. “It is no longer a problem of including a library that has a questionable dependency.” Instead, she says, there are now active attacks against the IDE, against the CI/CD pipeline, against plugins and repositories, against developer workstations, and more. “The entire software supply chain is currently a focus for attackers,” she says.
4 – Cryptographic failures
Applications fail to properly protect sensitive data through encryption or use weak or broken cryptographic algorithms. Examples include transmitting sensitive data in clear text, using weak encryption algorithms, not properly validating SSL/TLS certificates, or storing passwords without proper hashing. These failures often lead to sensitive data exposure or system compromise. This item moved down from second place on 2021’s list.
5 – Injection
Untrusted data is submitted as part of a command or query, tricking the application into executing unintended commands or accessing unauthorized data. Examples range from cross-site scripting, where attackers inject malicious scripts into web pages viewed by other users, to SQL injection, where they use database queries to access or modify sensitive data. This item has also moved a couple of spots down on this year’s list.
6 – Insecure design
Security wasn’t properly considered during the design phase of the application, resulting in missing or ineffective controls. Examples include failing to implement proper threat modeling, not establishing security requirements before development begins, or designing systems that lack defense in depth. This category was introduced in 2021 to focus on design and architectural flaws rather than implementation bugs, but it’s moved down a couple of places because the industry has made noticeable improvements in threat modeling.
7 – Authentication failures
Applications fail to properly verify the identity of users or fail to protect authentication credentials and session tokens. Examples include allowing brute force attacks, permitting weak passwords, exposing session IDs in URLs, not properly invalidating sessions after logout, or failing to implement multi-factor authentication for sensitive functions.
8 – Software or data integrity failures
Applications fail to maintain trust boundaries and verify the integrity of software, code, and data artifacts. Examples include applications that rely on plugins, libraries, or modules from untrusted sources without integrity checks, insecure CI/CD pipelines that allow code to be modified before deployment, or applications that auto-update without verifying digital signatures.
9 – Security logging and alerting failures
Applications fail to log security-relevant events or fail to alert security teams when suspicious activities occur. Examples include not logging failed login attempts, storing logs locally without backup, logging insufficient detail to reconstruct attacks or generating logs that don’t integrate with security information and event management (SIEM) systems. Great logging with no alerting is of minimal value in identifying security incidents.
10 – Mishandling of exceptional conditions
Applications fail to properly handle errors, edge cases, and abnormal conditions, leading to security vulnerabilities. Examples include displaying detailed error messages that reveal sensitive information about system architecture, security checks that fail and allow unauthorized access when errors occur, or applications that crash and expose sensitive data in memory dumps.
This is a category that has been just outside the top 10 for several years, says Brian Glas, department chair of computer science at Union University and an OWASP project leader. What took this item over the top was not the data about existing vulnerabilities, he says, but the survey of experts.
“If it was purely data-driven, we would not have an accurate list as it would only be looking into the past.”
Related stories:
10 most critical LLM vulnerabilities
Managing agentic AI risk: Lessons from the OWASP Top 10
Understanding OWASP’s Top 10 list of non-human identity critical risks
Keeping up with AI: OWASP LLM AI Cybersecurity and Governance Checklist
No Responses