// OWASP LLM Top 10

Ten vulnerability categories for Large Language Model applications — 2025 edition.

LLM01

Prompt Injection

Attackers manipulate LLM inputs to override instructions, exfiltrate data, or execute unintended actions through crafted prompts.

LLM02

Sensitive Information Disclosure

LLMs inadvertently reveal confidential data, system prompts, training data, or PII through outputs or inference attacks.

LLM03

Supply Chain

Compromised third-party models, datasets, or plugins introduce vulnerabilities, backdoors, or malicious behavior into LLM deployments.

LLM04

Data and Model Poisoning

Adversarial manipulation of training data or fine-tuning processes to embed backdoors or bias model behavior.

LLM05

Improper Output Handling

Downstream systems blindly trust LLM output, enabling XSS, SSRF, code injection, or command execution vulnerabilities.

LLM06

Excessive Agency

LLM agents with excessive permissions, autonomy, or capabilities perform unintended high-impact actions without oversight.

LLM07

System Prompt Leakage

Confidential system prompts, operational instructions, or business logic are extracted through carefully crafted user inputs.

LLM08

Vector and Embedding Weaknesses

Attacks exploit vulnerabilities in vector databases and embedding systems used in RAG pipelines to manipulate retrieval.

LLM09

Misinformation

LLMs generate convincing but false information, exploiting overconfidence to spread harmful or deceptive content at scale.

LLM10

Unbounded Consumption

Attackers exploit LLMs to consume excessive compute resources, inflating costs or degrading service availability.