The Open Web Application Security Project has officially released its highly anticipated 2025 Top 10, a landmark eighth edition that serves as the definitive guide to the most critical security risks facing modern web applications. Released on November 6, 2025, this revised document reflects a profound evolution in the threat landscape, shaped by the rapid adoption of complex development practices and the increasing sophistication of cyber attacks. The updated list is more than a simple ranking; it is a narrative of change, introducing two entirely new vulnerability categories, reconfiguring several long-standing ones, and leveraging a refined methodology that expertly balances extensive empirical data with invaluable insights from the global security community. For developers, cybersecurity professionals, and organizations worldwide, this list provides an essential framework for prioritizing security efforts and building a more resilient digital infrastructure in an era of unprecedented risk.
A New Era of Holistic Security Focus
A defining characteristic of the 2025 OWASP Top 10 is its strategic departure from focusing on discrete, symptomatic vulnerabilities toward addressing their underlying systemic root causes. This marks a significant maturation in the industry’s approach to application security. Instead of merely cataloging attack types, the new list emphasizes broader categories of weakness that enable a variety of exploits. This philosophical shift is clearly demonstrated in the consolidation of specific threats into more encompassing categories, such as the absorption of Server-Side Request Forgery (SSRF) into the top-ranked Broken Access Control. Furthermore, the creation of entirely new categories targeting systemic failures highlights a move away from a purely code-centric view. This approach encourages organizations to look beyond patching individual flaws and invest in fundamental improvements to their design, development, and deployment processes, fostering a culture of security that is proactive rather than reactive.
This evolution is further underscored by a heightened emphasis on the security of the entire software development lifecycle and its surrounding ecosystem. The 2025 list explicitly acknowledges that application security is no longer confined to the source code but extends to the tools, dependencies, and infrastructure that support its creation and operation. The introduction of a dedicated category for software supply chain failures is the most potent indicator of this trend, reflecting the industry’s growing anxiety over risks embedded in third-party components, build systems, and distribution pipelines. This holistic perspective is tailored to the realities of modern, cloud-native environments, where complex configurations, microservices architectures, and distributed systems introduce novel and often subtle avenues for attack. By expanding the scope of concern, OWASP is guiding the industry toward a more comprehensive security model that addresses the interconnected nature of contemporary software development.
Emerging Risks Take Center Stage
Arguably the most significant addition to the 2025 list is A03:2025 – Software Supply Chain Failures, a new category that dramatically expands upon its predecessor, 2021’s Vulnerable and Outdated Components. While the former focused primarily on the use of third-party libraries with known vulnerabilities, this new entry adopts a far broader and more urgent perspective. It encompasses the full spectrum of ecosystem risks, including weaknesses in Continuous Integration/Continuous Deployment (CI/CD) pipelines, compromised build processes, insecure software distribution infrastructure, and the integrity of third-party dependencies themselves. Its prominent placement at the third position was driven in large part by overwhelming community concern, which balanced the fact that direct testing data for such systemic issues is often difficult to capture with automated tools. This category’s inclusion, supported by numerous high-profile security incidents, highlights the severe impact and high exploit potential associated with supply chain compromises, compelling organizations to vet not just what they build, but how they build it.
The second new entry, A10:2025 – Mishandling of Exceptional Conditions, brings a much-needed focus to a class of vulnerabilities previously scattered across the general concept of “poor code quality.” This category specifically targets flaws related to improper error handling, logical errors in code flow, and the creation of insecure failure states. A critical example of such a state is an application that “fails open,” where a malfunction in a critical security check, such as an unavailable authentication service, results in access being granted by default rather than denied. Comprising 24 distinct Common Weakness Enumerations (CWEs), this category addresses how mishandled exceptions can lead to catastrophic security failures, from the inadvertent exposure of sensitive system information and stack traces to enabling debilitating Denial-of-Service (DoS) attacks. Its formal inclusion provides a clear mandate for developers to implement robust, secure, and resilient error-handling mechanisms as a foundational security principle.
Reassessing Established Vulnerabilities
Despite the introduction of new threats, A01:2025 – Broken Access Control has maintained its precarious position at the top of the list, underscoring the persistent and critical nature of authorization failures. The 2025 edition reinforces the importance of this category by merging A10:2021 – Server-Side Request Forgery (SSRF) directly into it. This consolidation reflects a deeper understanding that SSRF is fundamentally an access control problem, where a server is coerced into making unauthorized network requests on behalf of an attacker. Now encompassing 40 CWEs and affecting a significant percentage of all applications tested, Broken Access Control remains the paramount challenge for security teams. In a notable shift, A02:2025 – Security Misconfiguration has seen a dramatic rise in prominence, moving from the fifth position in 2021 to second in 2025. This change is directly attributed to the ever-increasing complexity of modern application environments, including cloud services, containerization, and microservices architectures, where weak default settings and inconsistent security controls create fertile ground for exploitation.
In a more encouraging development, several long-standing categories have dropped in rank, suggesting that concerted industry efforts are yielding positive results. A05:2025 – Injection, once a fixture at the top of the list, has fallen from third to fifth place, while A04:2025 – Cryptographic Failures has moved down from second to fourth. These downward trends are likely the result of the widespread adoption of safer development frameworks that provide built-in defenses against common injection attacks and more robust, easier-to-implement cryptographic libraries. Perhaps most promising is the drop of A06:2025 – Insecure Design from fourth to sixth place, a shift that OWASP attributes to industry-wide improvements in adopting secure design principles and conducting more thorough threat modeling early in the development lifecycle. Other categories, such as A07 – Authentication Failures, A08 – Software or Data Integrity Failures, and A09 – Logging & Alerting Failures, have maintained their respective rankings, albeit with minor name tweaks for improved clarity and to emphasize the need for actionable alerts over passive monitoring.
A Refined Methodology for a Modern Threatscape
The credibility and authority of the OWASP Top 10 rest on its sophisticated, data-driven methodology, which was further refined for the 2025 edition to provide a more accurate snapshot of the current threat landscape. The approach is a carefully constructed blend of quantitative data analysis and qualitative expert feedback gathered from the global security community. For this iteration, OWASP analyzed anonymized data from over 175,000 Common Vulnerabilities and Exposures (CVEs) that were mapped to an extensive list of 643 CWEs. A key methodological decision was to prioritize prevalence—the percentage of applications exhibiting at least one instance of a particular weakness—over the raw frequency of findings. This ensures that the list accurately reflects widespread problems across the industry rather than issues that may be numerous but are confined to a small subset of applications, providing a more reliable indicator of systemic risk for most organizations. To balance this empirical data, community surveys played an instrumental role, particularly in elevating risks that are inherently difficult to detect with automated scanning tools but are of paramount concern to frontline practitioners. The high ranking of Software Supply Chain Failures is a direct result of this blended approach, where overwhelming community concern about the potential impact of such attacks complemented the available data. Exploitability and impact scores were drawn from multiple versions of the Common Vulnerability Scoring System (CVSS), which revealed a clear trend of newer versions assigning a higher weighting to a vulnerability’s impact. This forward-looking methodology ensures that the final list is not merely a reflection of historical data but is also closely aligned with the emerging threats and complex realities of modern, interconnected technology stacks, making it an indispensable resource for strategic security planning.
Navigating the Path Forward
The release of the OWASP Top 10 2025 provided a definitive narrative on the evolution of web application security, signaling a maturing field that had made measurable progress in foundational areas while simultaneously grappling with new, systemic challenges. The persistent dominance of Broken Access Control served as a stark reminder that fundamental principles required continuous vigilance, while the introduction of Software Supply Chain Failures confirmed that security perimeters had expanded far beyond an organization’s own code. For security leaders and development teams, the directive was clear: the updated list had to be integrated into DevSecOps pipelines, security awareness programs, and risk management frameworks. This involved prioritizing robust supply chain verification tools, implementing comprehensive and secure error-handling logic, and relentlessly fortifying access controls. As the list was opened for community feedback until November 20, 2025, it stood as a dynamic, collaborative resource essential for navigating the complex path toward a more secure digital world.