The Open Web Application Security Project (OWASP) has unveiled its eighth edition of the Top 10, a cornerstone guide for developers, security pros, and organizations tackling web application risks.
This 2025 update reflects evolving threats in a landscape dominated by complex supply chains, cloud-native apps, and AI-driven attacks.
Drawing from millions of vulnerability data points and community input, it spotlights persistent dangers while introducing fresh perspectives on emerging issues.
Introducing The OWASP Top 10:2025
The list kicks off with A01: Broken Access Control, still reigning as the top threat, affecting 3.73% of tested apps. Server-Side Request Forgery now folds into this category for a more holistic view of authorization flaws.
A02: Security Misconfiguration climbs to second place from fifth in 2021, impacting 3% of applications amid rising reliance on configs in modern software stacks.
A03: Software Supply Chain Failures extends the Vulnerable Components category, capturing ecosystem-wide risks, such as compromised dependencies. Though underrepresented in data, it scores high on exploit potential.
A04: Cryptographic Failures drops to fourth place, with a 3.80% prevalence, often leading to data breaches.
A05: Injection holds at fifth, encompassing SQLi and XSS across 38 CWEs.
A06: Insecure Design slips to sixth, buoyed by better threat modeling practices.
A07: Authentication Failures stays seventh, with the naming refined to highlight session and credential issues.
A08: Software or Data Integrity Failures remains in eighth place, focusing on trust boundary lapses below supply chain levels.
A09: Logging & Alerting Failures holds ninth, emphasizing actionable alerts over mere logs.
Finally, A10: Mishandling of Exceptional Conditions debuts, addressing pitfalls such as failing open.
Key Changes and Methodology
This edition adds two new categories and consolidates others, prioritizing root causes over symptoms to guide remediation.
Data from over 2.8 million apps informs eight spots, while a community survey elevates two underrepresented risks.
Categories now average 25 CWEs each, capped at 40, totaling 248 across MITRE’s 968.
Exploit and impact scores are derived from CVE data via OWASP Dependency-Check, weighted by CVSS v2/v3 for accuracy.
The survey bridges gaps in automated testing by capturing frontline trends, such as supply chain woes.
Why It Matters and Next Steps
With software complexity surging, this Top 10 urges proactive design and testing. Contributors like Veracode, Sonar, and anonymous donors fueled the dataset.
Lead authors Andrew van der Stock, Brian Glas, Neil Smithline, Tanya Janca, and Torsten Gigler crafted this release candidate on November 6, 2025.
Dive into OWASP’s resources to fortify your apps security starts with awareness.
 has unveiled its eighth edition of the Top 10, a cornerstone guide for developers){kind=link}