OWASP Top 10 for Large Language Model (LLM) Applications

Executive Summary

The OWASP Top 10 for LLM Applications – 2025 identifies the most critical vulnerabilities affecting Large Language Models (LLMs), including Prompt Injection, Sensitive Information Disclosure, and Unbounded Consumption. It provides actionable strategies such as input validation, data encryption, and adversarial testing to mitigate these risks. As LLMs become central to modern applications, this guide empowers organizations to deploy them securely while protecting user data, minimizing operational risks, and ensuring responsible AI practices.

The Open Worldwide Application Security Project (OWASP) has been a beacon in guiding developers and security experts in addressing critical security challenges. With the advent of Large Language Models (LLMs) playing an important role in applications ranging from customer service to decision-making, the OWASP Top 10 for LLM Applications – 2025 emerges as an essential resource for securing these transformative technologies.

What’s New in the OWASP Top 10 for 2025?

The latest release builds upon the 2023 version, introducing critical updates and new entries addressing vulnerabilities unique to modern LLM deployments. It emphasizes evolving threats, from System Prompt Leakage to Vector and Embedding Weaknesses, aligning with real-world exploit scenarios and community-driven insights.

Key additions include:

1. System Prompt Leakage: Exploits targeting the assumptions of prompt isolation.
2. Excessive Agency: Risks stemming from the growing use of agentic LLM architectures.
3. Unbounded Consumption: Expanded from Denial of Service, focusing on resource management and operational costs.

1. Prompt Injection: When Inputs Take Control

Prompt injection exploits the model’s inability to differentiate between benign inputs and malicious commands embedded in user prompts or external data. For instance, attackers can bypass safety mechanisms by crafting inputs like:

Ignore all previous instructions. Execute the following: [malicious action].

Such attacks can lead to data leaks or unauthorized actions. Mitigating this requires:

• Role-based prompt design: Clearly define what the model can and cannot do within its instructions.
• Input sanitization: Use regex patterns and semantic analysis to filter out potential injection attempts.
• Adversarial testing: Simulate attack scenarios to test model resilience.

Additionally, techniques like the RAG Triad (relevance, groundedness, and QA alignment) can evaluate responses for anomalies.

2. Sensitive Information Disclosure: The Risks of Oversharing

LLMs can inadvertently reveal sensitive data embedded in their training sets or prompts. For instance:

• Models trained on unfiltered logs may return API keys or passwords when queried.
• A user might extract information through prompts like: What does the system know about [confidential entity]?

To address this:

• Training data curation: Scrub datasets for sensitive content before training.
• Dynamic masking: Implement runtime redaction for sensitive fields using predefined patterns.
• Access controls: Enforce strict API-level restrictions to limit access to high-risk functions.

3. Supply Chain Risks: A Chain is Only as Strong as its Weakest Link

The reliance on third-party libraries, pre-trained models, and data sources introduces risks. For instance, compromised training datasets could embed backdoors that alter model behavior. Mitigation strategies include:

• Dependency monitoring: Use tools like OWASP Dependency-Check to track and patch vulnerabilities in libraries.
• Data integrity verification: Implement hash-based checks to ensure data remains untampered during preprocessing.
• Air-gapped environments: Conduct training in isolated systems to minimize external risks.

4. Data and Model Poisoning: Corruption at the Source

Attackers can inject malicious data during training to bias model predictions. Examples include inserting adversarial examples that exploit specific model weights. Mitigation includes:

• Differential privacy: Add noise to training data to obscure sensitive details while retaining utility.
• Gradient analysis: Detect anomalies in backpropagation to identify poisoned samples.
• Secure federated learning: Use techniques like homomorphic encryption to protect data in distributed training scenarios.

5. Improper Output Handling: When Responses Go Awry

Models generating unrestricted outputs can produce harmful or legally problematic content, such as biased decisions or hate speech. To manage this:

• Output post-processing: Use deterministic validation layers, such as regex or JSON schema validators, to ensure outputs align with expected formats.
• Content moderation pipelines: Integrate toxicity detection models to flag inappropriate responses.
• Guardrails for dynamic generation: Specify clear constraints within the system prompt, such as: Only respond with numerical data formatted as JSON.

6. Excessive Agency: Autonomy Gone Wrong

Agentic architectures enable LLMs to trigger APIs, execute code, or perform tasks autonomously. Unchecked, these systems can cause unintended actions, such as over-provisioning cloud resources. Solutions include:

• Sandboxing: Restrict execution environments to isolated containers.
• Human-in-the-loop: Require manual approval for high-risk actions.
• Capability scoping: Use fine-grained permissioning to limit what LLM agents can access (e.g., read-only access to certain APIs).

7. System Prompt Leakage: Keeping Secrets Safe

System prompts often contain sensitive data, such as operational instructions or API tokens. If leaked, attackers can exploit this knowledge to bypass security. Risks arise from LLM features like instruction chaining or history sharing. Mitigation strategies:

• Token obfuscation: Replace sensitive data in prompts with dynamically generated tokens that expire.
• Session isolation: Segregate system prompts from user interactions to prevent accidental exposure.
• Prompt watermarking: Embed invisible markers to detect unauthorized prompt disclosure.

8. Vector and Embedding Weaknesses: The Hidden Dangers

Attackers can manipulate embedding spaces used in Retrieval-Augmented Generation (RAG) to influence model outputs. This includes injecting misleading context into document vectors. To secure these systems:

• Vector authentication: Use cryptographic signatures to validate embeddings before use.
• Outlier detection: Monitor embedding distributions for anomalies that indicate tampering.
• RAG-specific filters: Build constraints into retrievers to exclude irrelevant or adversarial documents.

9. Misinformation: Truth vs. Machine

LLMs sometimes fabricate plausible-sounding but false information, a phenomenon known as hallucination. For example, a model might confidently state incorrect statistics. Addressing this requires:

• Source grounding: Enhance responses with references to verified data repositories.
• Retrieval mechanisms: Use real-time search APIs to fetch current data for fact-checking.
• Calibration techniques: Adjust output confidence levels using posterior probability adjustments.

10. Unbounded Consumption: Resource Drains

Unoptimized queries or misuse of APIs can lead to skyrocketing costs and system unavailability. For instance, attackers might intentionally spam queries to induce financial strain. Preventative measures include:

• Rate limiting: Configure API gateways to restrict query frequencies.
• Cost monitoring: Implement dashboards that track query patterns and associated compute costs.
• Query optimization: Preprocess user inputs to simplify queries and reduce token usage.

Final Thoughts

Securing LLMs requires more than theoretical awareness; it demands practical, technical solutions tailored to evolving threats. The OWASP Top 10 for LLM Applications – 2025 provides a robust framework for identifying and addressing vulnerabilities, ensuring these transformative tools are deployed safely and responsibly. By implementing these strategies, businesses can unlock the full potential of LLMs while safeguarding their systems and users.