Artificial intelligence is reshaping how software is built and used — but with great power comes significant security risk. Large Language Models (LLMs) introduce a new class of vulnerabilities that traditional security frameworks were never designed to address. To help developers, security teams, and organizations navigate this landscape, OWASP released the OWASP Top 10 for LLM Applications 2025 — a definitive guide to the most critical security risks specific to AI-powered systems.
This guide breaks down each of the ten risks, explaining what they are, why they matter, and how to defend against them.
LLM01 — Prompt Injection
Prompt injection is the most prevalent and dangerous risk for LLM-based applications. It occurs when an attacker crafts malicious input — either directly in the user prompt or embedded in external content the model processes — to override the system’s intended instructions. This can cause the model to leak confidential data, bypass safety guardrails, execute unintended actions, or impersonate authorized users.
Mitigation: Treat all user input as untrusted. Use strict input validation, privilege separation between the model and backend systems, and human-in-the-loop review for sensitive operations. Never allow LLM-generated content to directly trigger privileged actions without verification.
LLM02 — Sensitive Information Disclosure
LLMs can inadvertently reveal sensitive information — including personally identifiable information (PII), proprietary business data, API keys, or details from confidential documents used during training or retrieval. This can happen through direct querying, cleverly crafted prompts, or model memorization of training data.
Mitigation: Apply data minimization principles — only expose the data an LLM truly needs. Implement output filtering to detect and redact sensitive patterns before responses reach the user. Audit training and retrieval data pipelines regularly.
LLM03 — Supply Chain Vulnerabilities
LLM applications depend on a complex ecosystem: pre-trained base models, fine-tuning datasets, third-party plugins, vector databases, and external APIs. A compromise at any point in this chain — a poisoned model, a malicious plugin, or a tampered dataset — can introduce backdoors or unexpected behaviors into production systems.
Mitigation: Vet all third-party models, plugins, and data sources. Use verified model registries, pin dependency versions, and conduct regular security audits of the entire AI supply chain. Prefer models from reputable providers with documented security practices.
LLM04 — Data and Model Poisoning
Data poisoning occurs when an attacker manipulates the training or fine-tuning data to embed hidden biases, backdoors, or malicious behaviors into the model. Model poisoning extends this to the model weights themselves. Poisoned models can behave normally under most conditions but produce attacker-controlled outputs when specific trigger inputs are present.
Mitigation: Carefully curate and validate all training data. Use anomaly detection during training. Prefer fine-tuning over full retraining where possible, and monitor model outputs in production for unexpected behavioral shifts.
LLM05 — Improper Output Handling
When LLM-generated output is passed directly to downstream systems — such as web browsers, code interpreters, databases, or operating system commands — without adequate validation, it can trigger cross-site scripting (XSS), SQL injection, remote code execution, or other classic injection attacks. The LLM itself is not exploited; the vulnerability lies in how its output is consumed.
Mitigation: Treat LLM output as untrusted user input. Apply context-aware output encoding, use parameterized queries for database interactions, sandbox code execution environments, and implement strict output validation before passing data to any downstream system.
LLM06 — Excessive Agency
Modern LLM agents are granted capabilities — sending emails, executing code, querying databases, calling APIs, managing files — that extend far beyond simple question-answering. Excessive agency occurs when an LLM is given more permissions or autonomy than it needs, allowing a compromised or manipulated model to cause significant real-world harm.
Mitigation: Apply the principle of least privilege rigorously. Grant LLM agents only the minimum permissions required for each specific task. Implement human approval gates for high-impact actions, log all agent activities, and design systems to be reversible where possible.
LLM07 — System Prompt Leakage
System prompts often contain valuable intellectual property, security configurations, persona definitions, and operational instructions that developers consider confidential. Through carefully crafted queries — asking the model to repeat everything above or to role-play as an unrestricted AI — attackers can often extract partial or full system prompt contents.
Mitigation: Do not rely on system prompt secrecy as a primary security control. Assume system prompt contents may be discoverable and design accordingly. Use robust access controls, avoid embedding credentials or sensitive business logic in prompts, and monitor for extraction attempts.
LLM08 — Vector and Embedding Weaknesses
Retrieval-Augmented Generation (RAG) systems rely on vector databases to supply LLMs with relevant context. Weaknesses in how embeddings are generated, stored, or retrieved can allow attackers to manipulate retrieval results, inject malicious content into the knowledge base, or exploit similarity search algorithms to extract sensitive stored documents.
Mitigation: Secure vector databases with proper access controls and encryption. Validate and sanitize all content before it enters the knowledge base. Implement query filtering to prevent unauthorized document retrieval and monitor vector search patterns for anomalies.
LLM09 — Misinformation
LLMs can generate plausible-sounding but factually incorrect information — a phenomenon commonly called hallucination. When deployed in high-stakes domains such as healthcare, legal services, or financial advice, this can cause direct harm to end users who trust the model’s output. Adversaries can also intentionally exploit this tendency to spread targeted misinformation through AI-powered applications.
Mitigation: Ground model responses in verified, authoritative data sources using RAG or tool-augmented pipelines. Display clear confidence indicators and source citations. Implement human review for critical decisions and educate users about the limitations of AI-generated content.
LLM10 — Unbounded Consumption
LLM inference is computationally expensive. Without proper rate limiting and resource controls, attackers can trigger denial-of-service (DoS) conditions by flooding an application with resource-intensive requests, exploit prompt designs that cause extremely long model outputs, or abuse API access to run up significant costs for the target organization. This risk also encompasses model extraction attacks, where repeated querying is used to replicate a proprietary model’s capabilities.
Mitigation: Enforce strict rate limiting, per-user quotas, and maximum output token limits. Monitor for unusual usage patterns and implement circuit breakers to halt runaway processes. Set cost alerts and billing limits on API-connected AI services.
Why the OWASP LLM Top 10 Matters
The risks listed above are fundamentally different from classical web application vulnerabilities. They emerge from the probabilistic, generative nature of LLMs — systems that do not follow deterministic logic and can be influenced by the content they process. Organizations building or deploying AI-powered applications cannot simply apply existing security checklists; they need a dedicated framework tailored to these unique challenges.
The OWASP Top 10 for LLM Applications 2025 is maintained by a global community of AI security experts and updated to reflect the evolving threat landscape. Whether you are a developer integrating an LLM API, a security engineer reviewing an AI product, or an executive evaluating AI adoption risk, understanding these ten categories is an essential starting point.
Security in the age of AI is not optional — it is a fundamental requirement for building systems that users can trust.
Use our OWASP-based Risk Assessment Calculator to evaluate your organization’s exposure to the LLM threat categories described above.
