OWASP Top 10 2025 Released: What’s New in Web App Security

The Open Web Application Security Project (OWASP) has released its draft of the OWASP Top 10 for 2025, introducing two new categories and reshaping its list of the most critical web application security risks. 

Published in November 2025, this edition reflects the rapidly changing threat landscape, expanding focus areas such as supply chain security and error handling while consolidating older categories to address underlying causes rather than symptoms.

OWASP Top 10 For 2025

The OWASP Top 10:2025 serves as a global standard for understanding and mitigating the most critical security risks affecting web applications. 

Each category represents a prevalent class of vulnerabilities that, if left unaddressed, can lead to serious breaches, data loss, or system compromise. 

The following overview outlines each of the Top 10 risks, explaining what they are, why they matter, and how organizations can effectively mitigate them to build cyber resilience.

A01:2025 – Broken Access Control

Broken access control occurs when applications fail to properly enforce user permissions, allowing attackers to access data or execute functions outside their authorized scope. 

This category remains one of the most exploited vulnerabilities, frequently leading to data breaches and privilege escalation. 

Because improper access control directly undermines system integrity and confidentiality, addressing it is critical for all organizations. 

Effective mitigation involves enforcing the principle of least privilege, implementing robust role-based access controls (RBAC), denying access by default, and regularly testing authorization mechanisms to ensure they work as intended.

A02:2025 – Security Misconfiguration

Security misconfiguration stems from weak or inconsistent system settings — such as unchanged default credentials, open cloud storage, or unnecessary services left exposed. 

These missteps are widespread and easily exploitable, often giving attackers a foothold into entire ecosystems. 

As application environments become more complex, especially with hybrid and cloud-based deployments, misconfigurations continue to represent a common root cause of compromise. 

Organizations can mitigate these risks by automating configuration management, applying standardized security baselines, performing routine audits to detect and remediate insecure settings promptly, and implementing cloud security best practices.

A03:2025 – Software Supply Chain Failures

Software supply chain failures refer to vulnerabilities that arise from third-party libraries, dependencies, or build systems that organizations rely on. 

A single compromised dependency or package can cascade across thousands of applications, making this one of the most dangerous and far-reaching risks in modern development. 

Recent incidents have demonstrated how attackers exploit trusted ecosystems to deliver malicious code at scale. 

To mitigate this threat, organizations should maintain a detailed software bill of materials (SBOM), verify the integrity and authenticity of all third-party packages, continuously monitor dependencies for known vulnerabilities, and leverage DevSecOps tools.

A04:2025 – Cryptographic Failures

Cryptographic failures occur when applications use weak, outdated, or improperly implemented encryption methods. 

This includes poor key management practices or transmitting sensitive data in plaintext, both of which can expose confidential information to interception or tampering. 

Cryptographic weaknesses are dangerous because they undermine the confidentiality and trustworthiness of systems and communications. 

Mitigation requires using strong, industry-standard algorithms such as AES and TLS 1.3, enforcing encryption both in transit and at rest, and securely rotating and storing cryptographic keys.

A05:2025 – Injection

Injection vulnerabilities arise when untrusted input is executed as part of a command or query. 

These flaws can allow attackers to steal data, manipulate application logic, or even take complete control of systems. 

Because injection attacks are often easy to use and remain impactful, they are a constant concern for security teams. 

To mitigate injection risks, organizations should rigorously validate and sanitize user input, use parameterized queries or prepared statements, and apply appropriate input encoding to block potentially malicious data.

A06:2025 – Insecure Design

Insecure design refers to flaws at the architectural or conceptual level that result from poor threat modeling, inadequate security requirements, or missing controls. 

Unlike coding errors, these issues stem from decisions made early in the development process and are often costly to fix later. 

Insecure design increases the likelihood that systems will remain vulnerable even after patches or updates. 

The defense is to embed security into the software development lifecycle (SDLC), perform comprehensive threat modeling, and adhere to secure-by-design principles from the start.

A07:2025 – Authentication Failures

Authentication failures encompass weaknesses in verifying user identities, such as weak passwords, insecure session management, or missing multi-factor authentication (MFA). 

These flaws can give attackers unauthorized access to accounts, leading to data exposure or administrative compromise. 

Since authentication is the first line of defense against unauthorized users, its failure can have severe consequences. 

Organizations can mitigate these risks by enforcing strong password policies, implementing MFA across all critical systems, securing session tokens, ensuring that credentials are never stored in plaintext, and leveraging privileged access management (PAM) tools.

A09:2025 – Logging & Alerting Failures

Logging & alerting failures occur when systems do not record critical security events or fail to generate actionable alerts. 

Without adequate logging and monitoring, organizations may remain unaware of breaches or suspicious activity for extended periods, increasing dwell time. 

Mitigation involves centralizing and standardizing logs, defining meaningful alert thresholds, and integrating monitoring tools with incident response (IR) workflows to ensure rapid visibility and containment.

A10:2025 – Mishandling of Exceptional Conditions

Mishandling of Exceptional Conditions refers to poor error handling or failure logic that leaves systems in insecure states during unexpected events. 

Examples include unhandled exceptions, revealing sensitive information in error messages, or systems that “fail open” when they should deny access. 

These issues can enable data exposure, denial-of-service attacks, or privilege escalation. 

To mitigate them, developers should implement secure exception handling, sanitize error outputs, and design systems that “fail closed,” ensuring security controls remain enforced even under abnormal conditions.

The OWASP Top 10:2025 highlights how application security continues to evolve alongside modern development practices and emerging threats. 

By understanding these risks and implementing proactive mitigation strategies, organizations can reduce their exposure to common attack vectors.  

OWASP is accepting community feedback through Nov. 20, 2025 with a final version of the top 10 expected in 2026.

Building on these application security fundamentals, adopting zero-trust principles offers the next step in ensuring that every user, device, and connection is continuously verified and protected across the enterprise.