The OWASP Top 10 2025 release candidate has arrived, marking a significant evolution in application security standards. Announced on November 6, 2025, at the Global AppSec Conference, this update reflects the changing threat landscape facing modern web applications. Compared to the 2021 version, the 2025 list adds two new vulnerability categories, consolidates one existing category, and refocuses several others to address emerging security challenges.
The OWASP Top 10 serves as the foundation for application security practices worldwide. Organizations use it for training, vulnerability assessments, compliance audits, and secure development frameworks. Understanding these changes is essential for developers, security teams, and organizations committed to building secure applications.
Understanding the OWASP Top 10 2025 Update
The OWASP Top 10 has been the gold standard for web application security since its inception in 2003. The Open Web Application Security Project, a nonprofit organization dedicated to improving software security, publishes this list based on vulnerability disclosures, expert consensus, and community sur
The 2025 release candidate reflects this evolution by introducing new categories that address modern attack vectors. The emphasis has shifted from treating individual vulnerabilities in isolation to understanding how security must be integrated throughout the entire Software Development Life Cycle (SDLC). According to the Fastly Security Team, "The overarching theme of 2025 changes was a nod to looking at the big picture: instead of focusing efforts on specific flaws, themes emerged around looking at the SDLC as a whole." [Fastly Blog]
This shift represents a fundamental change in how organizations should approach application security—moving from reactive vulnerability patching to proactive, secure-by-design principles. The 2025 update urges developers and organizations to adopt security practices that address threats throughout the development lifecycle, not just at the testing phase.
Two New Vulnerability Categories
The 2025 update introduces two entirely new categories that were not present in the 2021 Top 10:
A03:2025 Software Supply Chain Failures
This new category addresses vulnerabilities in the software supply chain, a critical concern in today's interconnected development ecosystem. Supply chain attacks have become increasingly sophisticated, with attackers targeting dependencies, build systems, and third-party components. Organizations must now evaluate the security of their dependencies, implement Software Bill of Materials (SBOM) practices, and monitor for compromised packages throughout their supply chain.
The inclusion of this category reflects real-world attack patterns where threat actors compromise popular open-source libraries or inject malicious code into dependency chains. By elevating supply chain security to the Top 10, OWASP acknowledges that modern applications are only as secure as their weakest dependency.
A10:2025 Mishandling of Exceptional Conditions
The second new category focuses on how applications handle exceptions and error conditions. Poor exception handling can expose sensitive information, create security bypasses, or lead to unexpected application behavior. This category emphasizes the importance of proper error handling, logging, and exception management throughout the application lifecycle.
Developers often overlook exception handling as a security concern, focusing instead on the happy path. However, attackers frequently exploit error conditions to gain insights into application architecture, bypass security controls, or trigger unintended behavior. This new category brings attention to a vulnerability class that has long been underestimated.
Consolidated Categories and Structural Changes
While the 2025 update adds new categories, it also consolidates existing ones to reflect a more cohesive understanding of vulnerability relationships. The 2021 A10 Server-Side Request Forgery (SSRF) has been merged into A01:2025 Broken Access Control. This consolidation reflects the understanding that SSRF vulnerabilities often enable broader access control bypasses and are fundamentally related to authorization failures.
Broken Access Control remains the top vulnerability in the 2025 list, maintaining its position from previous years. However, its scope has expanded significantly. The updated A01:2025 now encompasses:
- Traditional access control failures and privilege escalation
- CORS (Cross-Origin Resource Sharing) misconfigurations
- Token manipulation attacks
- Server-Side Request Forgery (SSRF) vulnerabilities
This expansion recognizes that modern applications face sophisticated attacks that exploit authentication and authorization mechanisms in multiple ways. According to Orca Security, Broken Access Control affects virtually every tested application and has the highest number of mapped Common Weakness Enumerations (CWEs), underscoring its critical importance. [Orca Security Blog]
Refocused Categories and Ranking Shifts
Beyond new additions and consolidations, several existing categories have been refocused to reflect current threat priorities. The categories from the 2021 list—A02, A03, and A04—have shifted positions in the 2025 ranking, indicating evolving priorities in the threat landscape. [Fastly Blog]
These ranking shifts reflect data-driven analysis of current vulnerability prevalence and impact. As threat actors adapt their tactics and new attack vectors emerge, the relative importance of different vulnerability classes changes. The 2025 update captures this evolution, helping organizations prioritize their security efforts based on current risk.
The refocusing of categories also reflects a deeper understanding of how vulnerabilities interact and compound. Rather than treating each vulnerability in isolation, the 2025 list encourages organizations to understand how weaknesses in one area can amplify risks in others. For example, poor exception handling can expose information that facilitates access control attacks, or supply chain vulnerabilities can introduce multiple security flaws simultaneously.
Impact on Development and Security Teams
The 2025 changes carry significant implications for how development and security teams approach application security. The emphasis on SDLC-wide security means that security cannot be an afterthought or a final testing phase. Instead, it must be integrated throughout the entire development process.
Development Team Responsibilities
Development teams must now consider:
- Supply chain security from the initial dependency selection phase, including evaluating the security posture of third-party libraries
- Secure exception handling as part of code review standards, ensuring errors don't expose sensitive information
- Access control as a foundational architectural concern, not an afterthought
- Continuous security assessment throughout development, not just at the end
Security Team Responsibilities
Security teams must adapt their assessment methodologies to address the new categories and expanded scope of existing ones. This includes:
- Updating training programs to reflect the 2025 priorities
- Configuring vulnerability scanning tools to detect the new categories
- Establishing supply chain security assessment processes
- Developing exception handling security guidelines
- Providing actionable remediation guidance for the expanded access control category
Upasna Kesarwani, Author at 42Gears, emphasizes this shift: "The OWASP Top 10:2025 Release Candidate clearly shows one thing—security must be continuous, intelligent, and Zero Trust-aligned." [42Gears Blog] This statement captures the essence of the 2025 update: security is not a destination but an ongoing process that must be intelligent about threats and aligned with modern security principles like Zero Trust.
Implementation Strategy for 2025 Standards
Organizations should begin preparing for the 2025 standards immediately, even though the final release is planned for early 2026. Here's a strategic approach to implementation:
1. Conduct a Gap Analysis
Assess current applications against the 2025 categories to identify gaps in your security posture. This includes evaluating how well your current practices address the new categories (Software Supply Chain Failures and Mishandling of Exceptional Conditions) and the expanded scope of existing categories.
2. Update Security Training
Ensure developers and security professionals understand the new categories and the rationale behind them. Training should cover not just what the vulnerabilities are, but why they matter and how to prevent them in practice.
3. Revise Development Standards
Incorporate the 2025 priorities into your secure development guidelines and code review processes. Update your secure coding standards to address the new categories and provide developers with clear guidance on implementation.
4. Evaluate Tools and Processes
Review your vulnerability scanning, testing, and monitoring tools to ensure they address the 2025 categories. You may need to update tool configurations or adopt new tools to effectively detect and assess the new vulnerability types.
5. Implement Supply Chain Security
Establish processes for evaluating, monitoring, and managing third-party dependencies. This includes implementing Software Bill of Materials (SBOM) practices, using dependency scanning tools, and establishing policies for acceptable dependencies.
6. Enhance Exception Handling
Review and improve how your applications handle errors and exceptions. Ensure that error messages don't expose sensitive information, that exceptions are properly logged, and that error conditions don't create security bypasses.
7. Strengthen Access Control
Conduct comprehensive access control reviews and implement proper authentication and authorization mechanisms. Given that Broken Access Control remains the top vulnerability, this should be a priority for all organizations.
Timeline and Next Steps
The OWASP Top 10 2025 release candidate was announced on November 6, 2025, at the Global AppSec Conference. The final release is planned for early 2026, following community survey input and feedback. This timeline provides organizations with several months to prepare for the transition.
The community survey remains active, allowing security professionals and developers to provide input on the 2025 list. This collaborative approach ensures that the final release reflects real-world security concerns and practical implementation considerations. Organizations should consider participating in the survey to ensure their perspectives are represented in the final version.
During this period, organizations should:
- Review the release candidate in detail
- Begin gap analysis and assessment activities
- Plan training and awareness initiatives
- Update development standards and processes
- Evaluate and configure security tools
- Establish timelines for full implementation
Key Takeaways
The OWASP Top 10 2025 represents a meaningful evolution in application security standards. The addition of Software Supply Chain Failures and Mishandling of Exceptional Conditions addresses critical modern threats that organizations face. The consolidation of SSRF into Broken Access Control and the refocusing of other categories reflect a deeper understanding of how vulnerabilities interact and compound.
Most importantly, the 2025 update emphasizes that security must be integrated throughout the entire Software Development Life Cycle. Organizations that adopt secure-by-design principles and implement continuous, intelligent security practices will be better positioned to address the threats outlined in the 2025 list.
As the final release approaches in early 2026, now is the time to begin preparing your organization for these changes. Review the release candidate, assess your current security posture, and develop a plan to implement the 2025 standards. By taking action now, you'll ensure your applications are protected against the most critical web application security risks and aligned with industry best practices.
