The OWASP Top 10 2025 release candidate has arrived, marking a significant evolution in application security best practices. This eighth edition represents more than incremental updates—it reflects a fundamental shift in how the security community understands and addresses web application vulnerabilities. Compared to the 2021 version, the 2025 update introduces two new categories, consolidates one existing category, and refocuses several others to address today's most pressing security risks. Understanding these changes is essential for development teams, security professionals, and organizations committed to building secure applications in an increasingly complex threat landscape.
The update draws from analysis of over 175,000 Common Vulnerabilities and Exposures (CVEs) and 589 Common Weakness Enumerations (CWEs), providing a data-driven perspective on the vulnerabilities that pose the greatest risk to modern applications. This comprehensive analysis reveals that the threat landscape has evolved significantly since 2021, with new attack vectors emerging around software supply chains and cloud-native architectures.
Understanding the OWASP Top 10 2025 Update
The OWASP Top 10 is a flagship awareness document produced by the Open Web Application Security Project, a nonprofit organization dedicated to improving software security. First published in 2003, this list has become the industry standard for understanding the most critical web application security ris
The 2025 release candidate represents the eighth edition of this influential document. As the GitLab Security Team notes, "The shift from 2021 to 2025 represents more than minor adjustments, it's a fundamental shift in application security." This shift reflects the changing nature of modern development practices, including cloud-native architectures, increased reliance on third-party dependencies, and the growing sophistication of supply chain attacks. [Source: GitLab Blog]
The methodology behind the 2025 update is particularly rigorous. The analysis examined over 175,000 CVEs and 589 CWEs—a significant increase from the approximately 400 CWEs analyzed in the 2021 edition. This expanded analysis provides a more comprehensive view of the vulnerability landscape and ensures that the rankings reflect current threat realities. [Source: GitLab Blog]
Two New Vulnerability Categories
The 2025 edition introduces two entirely new categories that were not present in the 2021 version:
A03:2025 Software Supply Chain Failures
This new category addresses vulnerabilities related to dependencies, processes, and data within the development and update mechanisms. As organizations increasingly rely on third-party libraries, frameworks, and services, the security of the entire supply chain has become critical. Software supply chain failures can occur at multiple points: compromised dependencies, insecure update mechanisms, or malicious packages introduced into popular repositories.
What makes this category particularly significant is that Software Supply Chain Failures has the highest average exploit and impact scores from CVEs despite having the fewest occurrences. This means that when supply chain attacks do occur, they tend to be severe and widespread in their impact. Organizations must implement robust dependency management practices, including:
- Regular audits of third-party components
- Verification of package integrity
- Monitoring for known vulnerabilities in dependencies
- Establishing secure update procedures
- Implementing Software Composition Analysis (SCA) tools
A10:2025 Mishandling of Exceptional Conditions
This new category focuses on how applications handle errors, exceptions, and edge cases. Improper handling of exceptional conditions can lead to information disclosure, denial of service, or security bypasses. This includes issues such as exposing sensitive information in error messages, failing to validate input in error handlers, or allowing attackers to trigger unexpected application states through malformed requests.
The addition of this category reflects a growing recognition that security vulnerabilities often emerge not from the happy path of application execution, but from how systems behave when things go wrong. Developers must implement comprehensive error handling strategies that prioritize security, including:
- Generic error messages for end users
- Detailed logging for administrators and security teams
- Proper validation of all inputs regardless of application state
- Secure handling of edge cases and boundary conditions
- Prevention of information disclosure through error messages
Consolidation and Refocusing Changes
Beyond new additions, the 2025 update also streamlines the list through strategic consolidation:
Server-Side Request Forgery (SSRF) Consolidated
The 2021 A10 Server-Side Request Forgery (SSRF) category has been consolidated into A01:2025 Broken Access Control. This consolidation reflects the understanding that SSRF vulnerabilities are fundamentally a type of access control failure—they allow attackers to bypass intended access restrictions by making requests from the server itself.
This consolidation doesn't diminish the importance of SSRF vulnerabilities; rather, it recognizes that addressing broken access control comprehensively will also address SSRF risks. Organizations should ensure their access control implementations prevent unauthorized server-side requests, including:
- Validation of all URLs and request destinations
- Restriction of internal network access from server processes
- Proper authentication and authorization for all server-initiated requests
- Network segmentation to limit server-side request scope
Refocus on Root Causes
A critical philosophical shift in the 2025 edition is the move from addressing symptoms to addressing root causes. As Orca Security Analysts explain, "A shift from symptoms to root causes defines the 2025 update. OWASP explicitly states that it aims to focus more on root causes rather than symptoms." [Source: Orca Security Blog]
For example, the 2021 edition included "Sensitive Data Exposure" as a separate category. The 2025 edition recognizes that sensitive data exposure is typically a symptom of other vulnerabilities—such as cryptographic failures, broken access control, or insecure design. By focusing on the root causes, the 2025 list provides more actionable guidance for developers and security teams.
Major Ranking Shifts and What They Mean
The 2025 edition shows significant changes in how vulnerabilities are ranked, reflecting shifts in the threat landscape:
Security Misconfiguration Rises to #2
Security Misconfiguration has jumped from the #5 position in 2021 to #2 in 2025. This dramatic rise reflects the increasing complexity of modern application environments, particularly in cloud-native and containerized deployments. Misconfigurations in cloud services, web servers, databases, and frameworks continue to be a primary attack vector.
According to GitLab's analysis, security misconfiguration now affects 3% of tested applications, yet its prevalence and impact have made it the second most critical risk. [Source: GitLab Blog] Common misconfigurations include:
- Default credentials remaining unchanged
- Unnecessary services enabled on servers
- Insecure default settings in frameworks and libraries
- Incomplete security configurations in cloud platforms
- Exposed debug information or administrative interfaces
Cryptographic Failures Drops to #4
Cryptographic Failures has moved from the #2 position in 2021 to #4 in 2025. While this represents a lower ranking, it doesn't indicate that cryptographic vulnerabilities are less important. Rather, it reflects that organizations have made progress in addressing encryption and cryptographic practices. However, cryptographic failures remain a critical concern, particularly in areas such as:
- Weak encryption algorithms
- Improper key management
- Insufficient protection of sensitive data in transit
- Inadequate protection of sensitive data at rest
- Use of deprecated cryptographic standards
The Complete 2025 Top 10 List
The full OWASP Top 10 2025 list, in order of criticality, is:
- Broken Access Control
- Security Misconfiguration
- Software Supply Chain Failures
- Cryptographic Failures
- Injection
- Insecure Design
- Authentication Failures
- Software/Data Integrity Failures
- Logging & Alerting Failures
- Mishandling of Exceptional Conditions
Comparison: 2021 vs 2025 at a Glance
Understanding how the 2025 list differs from 2021 helps organizations prioritize their security efforts:
New Categories (2025)
- Software Supply Chain Failures (A03)
- Mishandling of Exceptional Conditions (A10)
Consolidated Categories
- Server-Side Request Forgery merged into Broken Access Control
Significant Ranking Changes
- Security Misconfiguration: #5 → #2
- Cryptographic Failures: #2 → #4
- Injection: #3 → #5
- Insecure Design: #4 → #6
- Authentication Failures: #7 → #7 (unchanged)
Philosophical Shift
- From symptoms to root causes
- From individual vulnerabilities to systemic security practices
- From traditional web applications to modern cloud-native architectures
Implementation Recommendations for Development Teams
Organizations should take several concrete steps to align with the 2025 OWASP Top 10:
Conduct a Security Assessment
Begin by evaluating your current applications against the 2025 Top 10 list. Identify which vulnerabilities are most prevalent in your environment and prioritize remediation efforts accordingly. This assessment should include both automated scanning and manual code review. Pay particular attention to the new categories and the ranking changes, as these may represent areas where your current security posture needs adjustment.
Update Your Threat Model
Revise your threat models to reflect the new categories and ranking changes. Pay particular attention to software supply chain risks and exceptional condition handling, which may not have been thoroughly addressed in previous threat models. Consider how third-party dependencies could be compromised and how your application would respond to unexpected errors or edge cases.
Implement Secure Development Practices
Integrate security into your development lifecycle from the beginning. This includes secure coding training, code review processes, and security testing at multiple stages of development. Ensure that developers understand the root causes of vulnerabilities, not just the symptoms. Implement secure coding standards that address the 2025 Top 10 categories explicitly.
Address Supply Chain Security
Implement comprehensive dependency management practices. This includes maintaining an inventory of all third-party components, regularly scanning for known vulnerabilities, verifying the integrity of packages, and establishing policies for updating dependencies. Consider using Software Composition Analysis (SCA) tools to automate this process and ensure continuous monitoring of your supply chain security posture.
Improve Error Handling and Logging
Review how your applications handle errors and exceptions. Ensure that error messages don't expose sensitive information, that all errors are properly logged for security monitoring, and that exceptional conditions are handled securely. Implement comprehensive logging and alerting to detect and respond to security incidents. This includes monitoring for unusual error patterns that might indicate an attack.
Strengthen Access Control
With SSRF now consolidated into Broken Access Control, ensure that your access control mechanisms are robust and comprehensive. This includes proper authentication, authorization, and validation of all requests, including those initiated by the server itself. Implement principle of least privilege throughout your application and infrastructure.
The Bottom Line
The OWASP Top 10 2025 represents a significant evolution in application security guidance. The introduction of new categories like Software Supply Chain Failures and Mishandling of Exceptional Conditions reflects the realities of modern development environments. The consolidation of SSRF and the shift toward root causes provide a more coherent and actionable framework for addressing security vulnerabilities.
For development teams and security professionals, the 2025 update is a call to action. It emphasizes that application security is not just about patching individual vulnerabilities, but about building secure systems from the ground up. By understanding these changes and implementing the recommended practices, organizations can significantly reduce their exposure to the most critical web application security risks.
The full OWASP Top 10 2025 list is now available for review, and organizations should begin incorporating these updated guidelines into their security strategies immediately. As the threat landscape continues to evolve, staying aligned with OWASP's guidance ensures that security efforts remain focused on the risks that matter most.
