The Most Critical Web Application Risks 2025
10 Categories, 248 CWEs, compiled from real vulnerability data and AppSec community input.
Most frequent vulnerability: incorrect or missing access controls (40 CWEs, incl. SSRF).
Configuration increasingly controls app behavior – misconfigurations are rapidly growing.
Low frequency in tests, but very high Exploit and Impact scores warrant top placement.
NEWCategories bundle related vulnerabilities for training, governance, and effective risk management.
The OWASP Top 10:2025 – Compact Overview
Summary + One Key Action per CategoryBroken Access Control
Users can access functions or data they are not authorized for (including Server-Side Request Forgery - SSRF).
Key Action: Implement strict roles & permissions, enforce "deny by default."
Security Misconfiguration
Insecure defaults, open admin interfaces, unnecessary features, or missing system hardening.
Key Action: Implement "Secure by Default" configuration and automated hardening checks.
Software Supply Chain Failures
Compromised dependencies, build pipelines, or distribution channels endanger entire systems.
Key Action: Use SBOMs, signatures, verified registries & build integrity checks.
Cryptographic Failures
Incorrect or missing encryption leads to data exfiltration or system compromise.
Key Action: Use modern algorithms, strong key management, and avoid custom crypto implementations.
Injection
Unfiltered input is executed as code or a query (e.g., SQLi, XSS, Command Injection).
Key Action: Use parameterized queries, strong validation, output encoding, and modern frameworks.
Insecure Design
Security aspects are missing from the architecture and design stages of the application.
Key Action: Conduct threat modeling and define security requirements in every project phase.
Authentication Failures
Weak or flawed authentication—from password policies to session handling.
Key Action: Use proven auth frameworks + MFA instead of custom solutions.
Software or Data Integrity Failures
Integrity of code, data, and trust boundaries is not checked or ensured.
Key Action: Use signatures, checksums, secure update mechanisms, and verification policies.
Logging & Alerting Failures
Security-relevant events are not logged or lack meaningful, timely alerting.
Key Action: Use case-based logging plus alerts with clear runbooks for incident response.
Mishandling of Exceptional Conditions
Error and exception cases are handled insecurely (fail-open, unclear logic, information leaks).
Key Action: Implement defensive error handling: clear defaults and no sensitive data in error messages.
What's New in the 2025 Edition?
The new edition reflects current attack realities, supply chain risks, and community experience.
- New: A03 Software Supply Chain Failures (High Impact).
- New: A10 Mishandling of Exceptional Conditions (Error Logic).
- SSRF has been integrated into A01 Broken Access Control.
- Name updates for A07 (Authentication) and A09 (Logging & Alerting).
- Strong emphasis on root causes rather than pure symptoms (e.g., "Sensitive Data Exposure" is now better categorized under cryptographic/access failures).
How is the OWASP Top 10:2025 Created?
A combination of a massive vulnerability data set and a global AppSec Community Survey.
- 589 CWEs in the data source; 248 CWEs bundled in the Top 10.
- ~220,000 CVEs evaluated with CVSS v2/v3 scores.
- Weighted Exploitability and Impact scores per CWE determine rank.
- 8 of 10 categories are derived directly from this data.
- AppSec professionals report current trends and pain points.
- 2 categories can be "voted in" if they are underrepresented in the raw data.
- This allows new and emerging risks to be visible before broad testing tools can detect them widely.
