The project was launched in 2023 as a community-driven initiative to bring visibility to the specific security risks found in applications built on top of LLMs. The 2025 edition, published in March of that year, expands and refines the initial work with new categories and a much more aligned focus on current use cases: corporate assistants, copilots, agents, RAG architectures, and automations connected to third‑party systems.
The usefulness of the Top 10 is twofold. On one hand, it provides technical teams with a clear taxonomy to model threats, prioritize controls, and design security testing. On the other hand, it helps business and risk leaders understand that an AI‑powered application does not introduce a single new problem, but rather a combination of classic and emerging threats that amplify one another.
OWASP highlights several fundamental changes in the 2025 edition. The first is the evolution of the former denial‑of‑service logic into a broader category: unlimited consumption. In LLM environments, poor management of context, tokens, tool calls, or model access doesn’t just affect availability; it can also drive up costs and silently degrade service quality.
The second major change is the explicit inclusion of vector and vector‑representation weaknesses, a direct response to the rise of RAG architectures. When an application’s security depends on how it generates, stores, and retrieves embeddings, the vector store stops being a neutral component and becomes a critical asset.
The third important change is the introduction of system prompt leakage. Many applications assumed these internal instructions were opaque to the user. OWASP makes it clear that this assumption is unsafe. If the system prompt can be revealed, it can also expose internal logic, credentials, security constraints, and operational details that enable new attack paths.
Finally, the excessive agency category gains weight due to the growing use of agents and plugins. When the model has autonomy to act on other systems, any control failure stops being a simple response error and becomes an unsafe action with operational impact.
| ID | Riesgo |
| LLM01 | Prompt Injection |
| LLM02 | Sensitive Information Disclosure |
| LLM03 | Supply Chain Vulnerabilities |
| LLM04 | Data and Model Poisoning |
| LLM05 | Inadequate Output Handling |
| LLM06 | Excessive Agency |
| LLM07 | System Prompt Leakage |
| LLM08 | Vector and Embedding Weaknesses |
| LLM09 | Misinformation |
| LLM10 | Unlimited Consumption |
1. Prompt Injection
Prompt injection remains in the top position for a simple reason: external content is not just context — it can also be an attack vector. An email, a webpage, a PDF, a ticket, or a document inside a RAG system may contain hidden instructions capable of altering the model’s behavior. The threat no longer lies solely in what a user types directly, but in any source the model processes and interprets.
| Objectives ➡️ Treat all user input as untrusted. ➡️ Use strict input validation, privilege separation between the model and backend systems, and human review for sensitive operations. ➡️ Do not allow LLM‑generated content to directly trigger privileged actions without verification. |
2. Sensitive Information Disclosure
Sensitive information disclosure highlights that an AI‑powered application can leak secrets without requiring a traditional intrusion. All it takes is poor training practices, weak orchestration, improper retrieval, or overly broad access. When an LLM connects to repositories, document stores, CRMs, tickets, or source code, the exposure surface expands immediately.
| Objectives ➡️ Expose only the data that an LLM truly needs. ➡️ Apply output filtering to detect and mask sensitive patterns before responses reach the user. ➡️ Periodically audit training and retrieval data flows. |
3. Supply Chain
In AI environments, the supply chain includes dependencies, datasets, base models, LoRA adapters, third‑party repositories, conversion processes, and the provider’s terms of use.
| Objectives ➡️ Carefully review all third‑party models, plugins, and data sources. ➡️ Prefer models from reputable providers with documented security practices. |
4. Data and Model Poisoning
Cases such as PoisonGPT, attacks on model‑conversion processes, or the abuse of external components show that the problem can arise at any point in the pipeline.
| Objectives ➡️ Carefully validate all training data. ➡️ Use anomaly detection during training. ➡️ Prefer fine‑tuning over full retraining whenever possible, and monitor model outputs in production. |
5. Inadequate Output Handling
In parallel, inadequate output handling serves as a reminder that an LLM’s response should never be blindly chained to another automatic action without deterministic validation.
| Objectives ➡️ Use parameterized queries for database interactions, sandboxed code‑execution environments, and implement strict output validation. |
6. Excessive Agency
OWASP refers to excessive agency as one of the most important issues today. The risk is not just that the model might make a mistake; the real problem is that such a mistake may have permission to create, delete, send, approve, purchase, or modify something.
| Objectives ➡️ Apply the principle of least privilege rigorously. ➡️ Grant LLM agents only the minimum permissions required for each specific task. ➡️ Implement human‑approval gates for high‑impact actions. |
7. System Prompt Leakage
System prompts contain information about intellectual property, security configurations, personality definitions, and operational instructions that developers consider confidential. Attackers can often extract partial or complete system‑prompt content.
| Objetivos ➡️ Use robust access controls, avoid embedding credentials or sensitive business logic in prompts, and monitor extraction attempts. |
8. Vector and Embedding Weaknesses
Weaknesses in how embeddings are generated, stored, or retrieved can allow attackers to manipulate retrieval results, inject malicious content into the knowledge base, or exploit similarity‑search algorithms to extract sensitive stored documents.
| Objectives ➡️ Validate all content before it enters the knowledge base. ➡️ Implement query filtering to prevent unauthorized document retrieval, and monitor vector‑search patterns for unusual or suspicious behavior. |
9 y 10. Misinformation and Unlimited Resource Consumption
Misinformation and unlimited consumption introduce an important idea: an AI‑powered application can also cause harm when it produces convincing falsehoods or when it consumes resources without control. This affects reputation, operations, decision‑making, and cost. In many corporate environments, an incorrect output or an inefficient architecture can be just as damaging as a traditional technical vulnerability.
| Objectives ➡️ Base model responses on verified and authorized data sources. ➡️ Display clear confidence indicators and source citations. ➡️ Implement human review for critical decisions and educate users about the limitations of AI‑generated content. |
Apply per‑user limits and maximum output‑token limits. Monitor unusual usage patterns and implement circuit breakers to stop uncontrolled processes.
▪️Separate trusted and untrusted content in prompts and RAG flows.
▪️Apply least privilege to tools, connectors, APIs, and agents.
▪️Validate model output deterministically before reusing it.
▪️Maintain human approval for critical or irreversible actions.
▪️Audit providers, models, datasets, and supply‑chain dependencies.
▪️Control consumption, costs, context usage, quotas, and tool calls.
References
OWASP GenAI Security Project - LLM Top 10
OWASP Top 10 para Aplicaciones de LLM - Versión 2025 (traducción al español)
|
José Antonio Linio
OSCP |
|
Ismael de Frutos
CRTP |