The Open Web Application Security Project (OWASP) has officially released the eighth edition of its influential Top 10 security risks list for 2025, introducing significant changes that reflect the evolving landscape of application security threats.
The update features two new security categories and substantial shifts in risk rankings based on contributed data and community feedback.
Significant Additions to the List
The 2025 edition introduces two major newcomers to the security landscape. Software Supply Chain Failures now appears as a critical new category at position A03, representing an expanded focus from the previous “Vulnerable and Outdated Components” category.
This addition encompasses broader compromises occurring across the entire software dependency ecosystem, build systems, and distribution infrastructure.
This reflects growing concerns about supply chain attacks that have dominated security headlines in recent years.
The second newcomer is Mishandling of Exceptional Conditions at position A10.
This entirely new category addresses improper error handling, logical errors, and failing open scenarios that systems encounter under abnormal conditions.
| Rank | Category | CWEs | Prevalence |
|---|---|---|---|
| A01 | Broken Access Control | 40 | 3.73% |
| A02 | Security Misconfiguration | 16 | 3.00% |
| A03 | Software Supply Chain Failures | 5 | Low |
| A04 | Cryptographic Failures | 32 | 3.80% |
| A05 | Injection | 38 | High |
| A06 | Insecure Design | 36 | Moderate |
| A07 | Authentication Failures | 36 | Moderate |
| A08 | Software or Data Integrity Failures | 5 | Moderate |
| A09 | Logging & Alerting Failures | 5 | Moderate |
| A10 | Mishandling of Exceptional Conditions | 24 | New |
Broken Access Control maintains its dominant position at number one, with data indicating that 3.73 percent of tested applications contained at least one of the 40 associated vulnerabilities.
The most dramatic change sees Security Misconfiguration surge from fifth place in 2021 to second position in 2025, affecting 3.00 percent of applications tested.
Previously high-ranking threats have fallen significantly. Cryptographic Failures dropped from second to fourth place, Injection vulnerabilities slid from third to fifth, and Insecure Design moved from fourth to sixth position.
Despite these declines, these categories remain critical security concerns.
The 2025 list analyzed 589 Common Weakness Enumerations across 248 categories, a substantial increase from approximately 400 CWEs in 2021.
OWASP combined data-driven analysis with community input, using eight data-informed categories and two community-voted categories to address emerging threats.
The project analyzed roughly 175,000 CVE records from the National Vulnerability Database, incorporating CVSS exploit and impact scores to assess risk severity.
The updated OWASP Top 10 2025 serves as a crucial awareness document for developers, security teams, and organizations worldwide.
With increased emphasis on supply chain security and proper error handling, the list addresses modern attack vectors while maintaining focus on persistent threats such as access control failures and misconfigurations that continue to plague applications.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
%20(1)%20(1).webp?resize=1068,580&ssl=1&description=The update features two new security categories and substantial shifts in risk rankings based on contributed data and community feedback.){kind=link}