The OWASP Top 10 2025 release candidate marks a significant evolution in how the security community understands and prioritizes web application risks. Announced on November 6, 2025, at the OWASP Global AppSec Conference in Washington, DC, this updated list reflects the changing threat landscape facing modern software development. Two entirely new categories have been introduced while one existing vulnerability has been consolidated, signaling a fundamental shift in how organizations should approach application security. The changes emphasize supply chain integrity, misconfiguration risks, and error handling weaknesses—areas that have become increasingly critical in contemporary development environments.
For security teams, developers, and organizational leaders, understanding these changes is essential. The OWASP Top 10 serves as the gold standard for identifying and mitigating the most critical web application security risks. This 2025 update provides crucial guidance on where to focus defensive efforts in an era of complex software supply chains, cloud-native architectures, and sophisticated threat actors.
Understanding the OWASP Top 10 Framework
The OWASP Top 10 is a flagship project by the Open Web Application Security Project, a nonprofit organization dedicated to improving software security. Since its initial publication in 2003, the list has become the de facto standard for web application security risk assessment. Organizations worldwide use it to guide s
The OWASP Top 10 ranks the most critical web application security risks based on comprehensive data from vulnerability assessments, community surveys, and expert consensus. Each edition reflects the evolving threat landscape and emerging vulnerabilities that pose the greatest risk to applications and their users. The 2025 edition represents the most significant update in recent years, with changes that go beyond simple reordering to address fundamental shifts in how applications are built and deployed.
The framework has evolved significantly since 2003, with each iteration incorporating lessons learned from real-world security incidents and emerging attack patterns. The 2025 edition continues this tradition by addressing vulnerabilities that have become increasingly prevalent in modern software development environments, particularly those related to supply chain risks and cloud-native architectures.
The Two New Categories in 2025
Two entirely new categories have been introduced in the OWASP Top 10 2025, reflecting emerging threats that have become increasingly prevalent in modern software development.
Software Supply Chain Failures (A03)
The first new category addresses Software Supply Chain Failures, now ranked as A03 in the 2025 list. This addition directly responds to high-profile incidents like the SolarWinds breach, which exposed the critical vulnerability of third-party dependencies in software development. Organizations increasingly rely on external libraries, frameworks, and components, creating an expanded attack surface that extends beyond their direct control.
Software supply chain failures encompass risks associated with insecure dependencies, compromised packages, and vulnerabilities in third-party code. This category emphasizes the need for organizations to implement robust supply chain security practices, including:
- Dependency scanning and software composition analysis
- Vendor risk assessment and security evaluation
- Monitoring for known vulnerabilities in third-party components
- Secure package management and version control
- Supply chain compromise detection and response
The inclusion of this category signals that security teams must now view application security through a supply chain lens, recognizing that vulnerabilities in dependencies can be just as damaging as flaws in proprietary code. Organizations that fail to address supply chain risks expose themselves to attacks that can compromise entire applications and user bases.
Mishandling of Exceptional Conditions (A10)
The second new category, Mishandling of Exceptional Conditions, now occupies the A10 position. This category addresses error handling weaknesses that can expose sensitive information or create security vulnerabilities. Poor error handling practices—such as displaying detailed error messages to users, logging sensitive data, or failing gracefully under exceptional circumstances—can provide attackers with valuable reconnaissance information or create unexpected security gaps.
This addition reflects a growing recognition that error handling is not merely a reliability concern but a critical security issue. Applications that mishandle exceptions may leak:
- Stack traces containing code structure information
- Database connection strings and credentials
- API keys and authentication tokens
- Internal system paths and architecture details
- Sensitive business logic information
Additionally, improper exception handling can lead to unexpected application behavior that attackers can exploit. By elevating this concern to the Top 10, OWASP emphasizes that developers must treat error handling as a security-critical component of application design, not an afterthought.
Consolidation and Structural Changes
While two new categories were added, the 2025 list also consolidated existing vulnerabilities to better reflect modern threat patterns. Server-Side Request Forgery (SSRF), which appeared as a distinct category in the 2021 edition, has been merged into A01: Broken Access Control.
This consolidation is not a diminishment of SSRF's importance but rather a recognition that SSRF vulnerabilities often stem from or enable broken access control issues. SSRF attacks allow attackers to make requests from the server itself, potentially bypassing access controls and reaching internal resources that should be restricted. By integrating SSRF into the broader access control category, the OWASP Top 10 2025 encourages security teams to view these vulnerabilities as interconnected rather than isolated problems.
This structural change reflects a more holistic approach to application security that considers how different vulnerability types interact and compound risk. Rather than treating SSRF as a standalone concern, organizations should evaluate it within the context of their overall access control architecture and authorization mechanisms.
Broken Access Control: Still the Top Risk
Broken Access Control remains firmly entrenched as the number one risk in the OWASP Top 10 2025. This category now covers an even broader range of Common Weakness Enumerations (CWEs), including privilege escalation, Cross-Origin Resource Sharing (CORS) misconfigurations, and the aforementioned SSRF vulnerabilities.
The prevalence of broken access control is staggering. According to OWASP data, broken access control affects virtually every tested application, with 94% of applications tested being affected by access control vulnerabilities in prior assessments that informed the 2025 rankings. This makes it not just the most common vulnerability but also one of the most impactful, as access control failures can grant attackers unauthorized access to sensitive data and functionality.
The expansion of the A01 category to include more CWEs reflects the reality that access control is a foundational security concern. Whether through direct privilege escalation, CORS misconfigurations that allow unauthorized cross-origin requests, or SSRF attacks that bypass access controls, the underlying issue is the same: the application fails to properly verify that users have authorization for their requested actions.
Common broken access control vulnerabilities include:
- Privilege escalation through parameter manipulation or direct object references
- Horizontal access control flaws allowing users to access other users' data
- Vertical access control flaws allowing users to access higher-privilege functions
- CORS misconfigurations allowing unauthorized cross-origin requests
- SSRF attacks exploiting server trust to access internal resources
- Insecure direct object references (IDOR) exposing sensitive data
Implications for Your Security Strategy
The 2025 changes carry significant implications for how organizations should approach application security. The overarching theme of these changes represents a shift toward looking at the big picture rather than focusing efforts on specific isolated flaws. As the Fastly Security Team notes, "The overarching theme of 2025 changes was a nod to looking at the big picture: instead of focusing efforts on specific flaws, themes emerged around looking at the SDLC as a whole." [Source: Fastly Blog]
This holistic approach means that organizations should implement comprehensive changes across their security programs:
Integrate Security Throughout the SDLC
Rather than treating security as a final validation step, organizations must embed security considerations into design, development, testing, and deployment phases. This includes secure coding practices, threat modeling, and security-focused code reviews. Security should be a shared responsibility across development teams, not siloed within a dedicated security function.
Address Supply Chain Risks Proactively
With Software Supply Chain Failures now in the Top 10, organizations must implement comprehensive dependency management practices. This includes regular scanning of dependencies for known vulnerabilities, assessment of third-party vendor security practices, and monitoring for supply chain compromises. Organizations should maintain a software bill of materials (SBOM) and regularly audit their dependency trees.
Implement Robust Error Handling
Developers must ensure that applications handle exceptions securely, avoiding information disclosure while maintaining appropriate logging for debugging and security monitoring. This requires balancing user experience with security requirements. Error messages should be generic for end users while detailed logging is reserved for internal security monitoring.
Focus on Access Control as a Foundational Concern
Given that broken access control affects virtually every tested application, organizations should prioritize access control testing and remediation. This includes regular access control reviews, privilege escalation testing, and validation of authorization logic across all application features. Access control should be implemented consistently across the entire application using established patterns and frameworks.
Moving Forward with OWASP Top 10 2025
The OWASP Top 10 2025 release candidate was announced on November 6, 2025, at the OWASP Global AppSec Conference, with public review ongoing ahead of the final release. Organizations should begin preparing now to align their security programs with the updated guidance.
Implementing the OWASP Top 10 2025 guidance requires a coordinated effort across development teams, security teams, and organizational leadership. Security teams should use the updated list to reassess their vulnerability management priorities and testing methodologies. Development teams should familiarize themselves with the new categories and update their secure coding practices accordingly. Organizational leaders should ensure that security investments align with the updated risk landscape.
The shift toward a more holistic, SDLC-focused approach to security represents maturation in how the industry understands application security. By addressing supply chain risks, error handling weaknesses, and access control comprehensively, organizations can build more resilient applications that better withstand modern threats.
As Orca Security Analysts emphasize, "Broken Access Control remains the top risk in the OWASP Top 10:2025, affecting virtually every tested application." [Source: Orca Security Blog] This underscores the continued importance of prioritizing access control in security programs while simultaneously addressing the emerging threats represented by the new categories.
The OWASP Top 10 2025 provides a roadmap for this evolution. By understanding and implementing its guidance, organizations can significantly reduce their exposure to the most critical web application security risks and build a stronger security posture for the future. The time to begin preparing for these changes is now, before the final release is published and becomes the new standard for security assessments and compliance requirements.
