Overview
The OWASP Top 10 2025 reflects the evolving threat landscape, incorporating AI/LLM attack surfaces, software supply chain risks, and the rising severity of Server-Side Request Forgery (SSRF). Organizations should re-evaluate their application security programs against this updated list.
Key Changes in 2025
| # | Category | Change |
|---|---|---|
| A01 | Broken Access Control | Remained #1 for 4th consecutive year |
| A08 | Software & Data Integrity Failures | Elevated + expanded to cover supply chain |
| A10 | Server-Side Request Forgery | Elevated — now includes AI/Cloud SSRF vectors |
Key Focus Areas
A08 — Supply Chain Attacks
The XZ Utils backdoor (CVE-2024-3094) and ongoing npm/PyPI malware campaigns pushed supply chain integrity to the forefront. Implement SLSA Level 3+, pin dependencies with hash verification, and use Sigstore/cosign for artifact signing.
A10 — SSRF in Cloud and AI Environments
SSRF increasingly targets cloud metadata endpoints (AWS IMDSv1, GCP metadata server) and LLM prompt injection chains. Enforce IMDSv2, restrict outbound HTTP from application servers, and validate all user-supplied URLs against an allowlist.
Quick Win Checklist
- Audit all direct object references for access control enforcement
- Rotate and inventory all secrets — move to a vault solution
- Run npm audit / pip-audit / trivy in your CI pipeline
- Enable CSP, HSTS, and X-Frame-Options headers site-wide
- Implement structured logging with anomaly alerting in your SIEM