Docs

Appearance

Top risks

This page summarizes OWASP LLM01:2025–LLM10:2025 and frames each risk as governance work: what to prevent, what to monitor, and what evidence to keep.

OWASP LLM01:2025–LLM10:2025 at a glance

IDRiskWhat it usually looks like
LLM01:2025Prompt InjectionUser or retrieved content changes system behavior in unsafe ways
LLM02:2025Sensitive Information DisclosureSecrets/PII leak through responses, logs, or tool outputs
LLM03:2025Supply ChainCompromised dependencies, model providers, datasets, or infrastructure
LLM04:2025Data and Model PoisoningPoisoned training/fine-tune/RAG corpora manipulate behavior
LLM05:2025Improper Output HandlingModel outputs are trusted/executed without validation or policy checks
LLM06:2025Excessive AgencyAgents have too much autonomy/permission to act safely
LLM07:2025System Prompt LeakageHidden prompts, policies, and tool schemas are extracted
LLM08:2025Vector and Embedding WeaknessesRAG stores and embeddings become an attack and leakage surface
LLM09:2025MisinformationConfident falsehoods create harm, fraud, or bad decisions
LLM10:2025Unbounded ConsumptionRunaway cost/latency/capacity via abuse or bad controls

Source: OWASP Top 10 for LLM Applications (2025) — PDF.

How to use this taxonomy

Treat this list as:

  • a consistent vocabulary for risks and controls
  • a basis for targeted testing and monitoring
  • a way to make evidence auditable and reusable

Go deeper: Mitigations and testing.

LLM01:2025 - Prompt Injection

What it is: prompts (direct or indirect) alter behavior in unintended ways — including bypassing policies or causing unsafe tool use.

Baseline controls:

  • separate system instructions from user content and clearly label untrusted external content
  • require structured outputs (schemas/JSON) and validate deterministically
  • apply input/output filtering (including groundedness/context relevance checks)
  • constrain tools with least privilege, allowlists, and approval gates (avoid giving the model raw secrets/tokens)

Tests and signals:

  • prompt-injection regression suite (direct + indirect + obfuscated/multilingual + multimodal)
  • red teaming for jailbreaks and tool abuse

Evidence to keep: threat model, guardrail design decisions, test results history, remediation records.

LLM02:2025 - Sensitive Information Disclosure

What it is: leakage of secrets, personal data, or confidential data via responses, logs, traces, or tool outputs.

Baseline controls:

  • secrets hygiene (never in prompts; vault; rotation) and data minimization in inputs/logs
  • strict context scoping and least-privilege access control for retrieval and tools
  • input/output filtering for sensitive patterns; retention rules and access control on logs/traces
  • transparency and opt-out controls for training on user data (do not treat system prompts as a security boundary)

Tests and signals:

  • “canary” secret leak tests and retrieval scoping tests
  • log access review cadence; incident drills

Evidence to keep: data flow map, retention policy, access controls, leak test results, user transparency/opt-out artifacts, incident records.

LLM03:2025 - Supply Chain

What it is: risk introduced by model providers, datasets, dependencies, tooling, plugins, and hosting.

Baseline controls:

  • vendor/model due diligence (including T&Cs/privacy changes) with re-review on material changes
  • SBOM/ML-BOM inventories (models, adapters like LoRA/PEFT, datasets, dependencies) + license compliance
  • integrity verification for models/adapters/code (pinning, signing/hashes) and secure update channels
  • evaluate third-party models for your use cases; keep patching and deprecation strategies for models/APIs

Tests and signals:

  • dependency scanning and drift alerts
  • provenance/signature verification checks and vendor re-approval cadence

Evidence to keep: vendor reviews, subprocessor lists, SBOM/ML-BOM notes, license records, integrity attestations, change approvals.

LLM04:2025 - Data and Model Poisoning

What it is: attackers (or bad upstream data) poison training/fine-tune data, evaluation data, or RAG corpora to create backdoors, bias, or manipulation.

Baseline controls:

  • track provenance and transformations of data and model artifacts (BOM-style) and use data version control
  • validate and sandbox untrusted data sources; detect anomalies in corpus changes (including backdoors/sleeper triggers)
  • secure serialization/handling for model artifacts and ingestion pipelines (avoid unsafe loaders)
  • prefer controlled retrieval stores for user-supplied knowledge over retraining by default

Tests and signals:

  • anomaly detection on corpus changes
  • evaluation drift detection after data/model updates

Evidence to keep: dataset documentation, provenance/version logs, ingestion run logs, evaluation reports, training monitoring, approval records.

LLM05:2025 - Improper Output Handling

What it is: model outputs are treated as truth or executed without validation (e.g., tool invocation, SQL, code, policy decisions).

Baseline controls:

  • treat model output as untrusted user input; validate/sanitize and apply context-aware encoding (ASVS-style)
  • use structured outputs (schemas) + strict parsing where possible
  • use safe downstream interfaces (parameterized queries, CSP for rendered content) and action policy checks
  • require human review/approvals for high-impact actions; monitor and rate-limit suspicious patterns

Tests and signals:

  • negative testing for injection and unsafe outputs (XSS/SQL/path traversal/action payloads)
  • permission boundary tests for tools/actions

Evidence to keep: output handling policy, schema definitions, approval gates, test outputs linked to controls.

LLM06:2025 - Excessive Agency

What it is: agentic systems have permissions that exceed what can be safely monitored and controlled.

Baseline controls:

  • minimize which tools are available; prefer narrow, purpose-built tools over open-ended ones
  • enforce least privilege in downstream systems and execute actions in the user’s auth context (complete mediation)
  • step-up approvals and “break-glass” workflows for high-impact actions
  • bound autonomous loops (steps/time/spend) and monitor/rate-limit tool activity

Tests and signals:

  • agent permission and escalation tests
  • monitoring for unusual tool patterns and action rates

Evidence to keep: permission model, approval workflow records, monitoring dashboards, incident postmortems.

LLM07:2025 - System Prompt Leakage

What it is: attackers extract hidden prompts, policies, tool schemas, or internal instructions — enabling targeted bypass and abuse.

Baseline controls:

  • treat prompts as discoverable configuration: do not store secrets or authorization logic in prompts
  • externalize sensitive logic/data and enforce authz/session boundaries outside the LLM
  • implement independent guardrails/output inspection; detect extraction attempts and rate-limit probing

Tests and signals:

  • prompt extraction attempts in red-team suites
  • monitoring for repeated probing patterns

Evidence to keep: prompt governance records, change history, test results and fixes.

LLM08:2025 - Vector and Embedding Weaknesses

What it is: RAG and embedding pipelines can leak data, amplify prompt injection, and introduce integrity issues (poisoned content, weak access controls).

Baseline controls:

  • permission-aware access control and strict tenancy partitioning for vector stores
  • validate sources and audit knowledge bases for hidden instructions/poisoning; tag/classify data for safe retrieval
  • retrieval constraints (scopes/allowlists) and citation/grounding requirements where appropriate
  • immutable retrieval logging and anomaly detection (consider embedding inversion/leakage risks)

Tests and signals:

  • RAG injection regression tests
  • corpus drift, cross-tenant leakage, and unauthorized access checks

Evidence to keep: RAG architecture, ingestion controls, retrieval policy, retrieval logs, evaluation results.

LLM09:2025 - Misinformation

What it is: confident falsehoods, fabricated citations, or misleading output that creates operational or user harm.

Baseline controls:

  • grounding/citation requirements and cross-verification for factual outputs (with automatic validation where possible)
  • define “allowed use” and high-risk restrictions; require human oversight for high-impact contexts
  • risk communication and UI design that encourages verification and reduces overreliance
  • secure coding practices (especially for code suggestions) and feedback loops for corrections

Tests and signals:

  • factuality and hallucination evaluation suites (including citation checks)
  • monitoring for user-reported errors and escalation outcomes

Evidence to keep: evaluation methodology, thresholds, review records, remediation loop history.

LLM10:2025 - Unbounded Consumption

What it is: denial-of-wallet/denial-of-service dynamics: runaway spend, latency, and capacity due to abuse or missing controls.

Baseline controls:

  • strict input validation and size limits; strong auth + rate limits/quotas/budgets/timeouts
  • resource management and circuit breakers; caching and fallbacks for expensive calls
  • reduce sensitive API surfaces (e.g., avoid exposing rich logprobs/logits unless needed) and guard against model extraction
  • usage monitoring and anomaly detection for abuse patterns

Tests and signals:

  • load and abuse tests (long prompts, recursion, tool loops, extraction attempts)
  • spend/latency SLO alerts tied to response playbooks

Evidence to keep: budget policies, monitoring dashboards, incident response records, post-incident fixes.