OWASP Top 10 for LLM Applications: The 2025 List Explained

What is the OWASP Top 10 for LLM Applications?

The OWASP Top 10 for LLM Applications is a reference list of the most critical security risks for LLM and generative-AI applications, published by the OWASP GenAI Security Project. It mirrors the long-standing OWASP Top 10 for web applications, translating AI-specific risk into a format security teams already understand. The first edition shipped in 2023, and the current 2025 edition reorganized the list around how LLM applications are actually built and attacked.

It matters because it gives teams a shared taxonomy. When everyone refers to "LLM01" or "excessive agency," risk conversations, tooling, and audits line up. It is a starting point for coverage, not a guarantee of security on its own.

The OWASP Top 10 for LLM Applications (2025)

Each entry below is a real risk class. Where a category maps cleanly to a published CVE in an AI or LLM package, we link an example in the CVE archive; some entries are design or model-layer issues that rarely carry a single CVE.

• LLM01: Prompt Injection. Crafted input alters the model's behavior or output in unintended ways. See what prompt injection is. Example: CVE-2023-29374, a prompt-injection flaw in LangChain's LLMMathChain that led to code execution.
• LLM02: Sensitive Information Disclosure. The model or application exposes PII, credentials, or proprietary data in its outputs. Example: CVE-2025-68665, a LangChain serialization-injection issue that enabled secret extraction.
• LLM03: Supply Chain. Third-party models, datasets, packages, and plugins introduce vulnerable or malicious components. Example: CVE-2026-54499, remote code execution when loading an untrusted Stanza model via unsafe pickle deserialization.
• LLM04: Data and Model Poisoning. Manipulated training, fine-tuning, or embedding data introduces backdoors, bias, or degraded behavior.
• LLM05: Improper Output Handling. Model output is passed to downstream systems without validation, enabling injection, SSRF, or remote code execution. Example: CVE-2023-32786, a server-side request forgery issue in LangChain.
• LLM06: Excessive Agency. The system grants the model too much functionality, permission, or autonomy, so an influenced model can take harmful actions.
• LLM07: System Prompt Leakage. The system prompt, including instructions or secrets it should not contain, is exposed to users or attackers.
• LLM08: Vector and Embedding Weaknesses. Flaws in how vectors and embeddings are generated, stored, or retrieved (RAG) enable injection or data leakage.
• LLM09: Misinformation. The model produces false or misleading output that users over-trust.
• LLM10: Unbounded Consumption. Uncontrolled resource or query use enables denial of service and runaway cost. Example: CVE-2026-55446, an unauthenticated denial-of-service flaw in Langflow.

How to act on the list, not just check the box

The list names risks; it does not tell you which ones are live in your environment. That is where runtime matters. A vulnerable dependency (LLM03) that never loads, or an agent permission (LLM06) that is never exercised, is not the same as one attackers can reach. Reachability analysis and runtime intelligence separate the theoretical entries from the exploitable ones, so teams work the risks that actually put the application in danger.

Where Kodem fits

Kodem focuses on the runtime and application-layer entries of the list rather than claiming to cover all ten. Its runtime-powered SCA and AI bill of materials address LLM03 supply-chain risk; its application detection and response and agentic controls address prompt-injection exploitability (LLM01) and excessive agency (LLM06); and its broader approach to securing the AI application stack prioritizes these by what executes. Model-layer items such as poisoning (LLM04) and misinformation (LLM09) are governance and training concerns that sit outside runtime. For the full picture, see AI application security.

Frequently Asked Questions

1. What is the OWASP Top 10 for LLM Applications? It is a community-built list of the ten most critical security risks for applications that use large language models, maintained by the OWASP GenAI Security Project. The current 2025 edition runs from prompt injection (LLM01) to unbounded consumption (LLM10).

2. What is LLM01 in the OWASP Top 10? LLM01 is prompt injection: crafted input that makes a model follow an attacker's instructions instead of the developer's. It is ranked the number one risk for LLM applications.

3. When was the OWASP Top 10 for LLM last updated? The current edition is the 2025 list, which reorganized and expanded the original 2023 version, adding entries such as system prompt leakage and vector and embedding weaknesses.

4. How is the OWASP Top 10 for LLM different from the OWASP Top 10 for web apps? It applies the same idea, a ranked list of top risks, to LLM and generative-AI applications, covering AI-specific issues like prompt injection, excessive agency, and data poisoning that the web list does not.

5. How do you know which OWASP LLM risks apply to your application? Use runtime evidence. Reachability and runtime intelligence show which listed risks, such as a vulnerable dependency or an over-privileged agent, are actually loaded, reachable, and exploitable in your environment, rather than treating the list as a flat checklist.