OWASP Top 10 for LLM Applications

Publisher: Open Worldwide Application Security Project Version: 2025

Identifies the most critical security risks in applications utilizing large language models. Covers prompt injection, insecure output handling, training data poisoning, model denial of service, supply chain vulnerabilities, and more.

Domains: Tier:

ID	Name	Description	Domains
LLM01	Prompt Injection	Attackers manipulate LLM inputs to override system instructions or inject malicious commands. Can occur directly thro...	build secure
LLM02	Insecure Output Handling	LLM outputs are passed to downstream systems or rendered without validation. This creates injection vulnerabilities w...	build
LLM03	Training Data Poisoning	Attackers manipulate training data or fine-tuning datasets to introduce backdoors, biases, or vulnerabilities. Poison...	build secure
LLM04	Model Denial of Service	Attackers exploit resource-intensive LLM operations to cause excessive costs, performance degradation, or service out...	secure
LLM05	Supply Chain Vulnerabilities	LLM applications rely on third-party models, datasets, plugins, and frameworks that may be compromised. Supply chain ...	govern secure
LLM06	Sensitive Information Disclosure	LLMs may inadvertently reveal sensitive data including PII, credentials, or proprietary information through outputs. ...	secure
LLM07	Insecure Plugin Design	LLM plugins and extensions accept untrusted inputs or lack proper authorization. Insecure plugins enable unauthorized...	secure build
LLM08	Excessive Agency	LLM-based systems granted excessive permissions or autonomy perform unintended high-impact actions. Lack of oversight...	secure deploy
LLM09	Overreliance	Users or systems trust LLM outputs without verification, accepting hallucinations or errors as fact. Overreliance lea...	build
LLM10	Model Theft	Attackers extract or replicate proprietary LLMs through API abuse, model inversion, or unauthorized access. Stolen mo...	secure