Advisories

Weaknesses

Fixes

Requirements

Compliance

OWASP Top 10 for LLM Applications

Summary

The OWASP Top 10 for Large Language Model Applications highlights the most critical security risks in LLM applications, explaining their potential impact, ease of exploitation, and prevalence in real-world applications.

Definitions

Definition	Requirements
OWASPLLM-LLM01:2025. Prompt Injection	160. Encode system outputs 173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters 382. Human in the loop
OWASPLLM-LLM02:2025. Sensitive Information Disclosure	173. Discard unsafe inputs 176. Restrict system objects 177. Avoid caching and temporary files 224. Use secure cryptographic mechanisms 261. Avoid exposing sensitive information 300. Mask sensitive data 342. Validate request parameters 077. Avoid disclosing technical information
OWASPLLM-LLM03:2025. Supply Chain	262. Verify third-party components
OWASPLLM-LLM04:2025. Data and Model Poisoning	173. Discard unsafe inputs 262. Verify third-party components 383. Sandboxing to limit model exposure to unverified data sources
OWASPLLM-LLM05:2025. Improper Output Handling	173. Discard unsafe inputs 265. Restrict access to critical processes 321. Avoid deserializing untrusted data 342. Validate request parameters
OWASPLLM-LLM06:2025. Excessive Agency	186. Use the principle of least privilege 382. Human in the loop
OWASPLLM-LLM07:2025. System Prompt Leakage	173. Discard unsafe inputs 176. Restrict system objects 177. Avoid caching and temporary files 224. Use secure cryptographic mechanisms 261. Avoid exposing sensitive information 300. Mask sensitive data 342. Validate request parameters 077. Avoid disclosing technical information
OWASPLLM-LLM08:2025. Vector and Embedding Weaknesses	160. Encode system outputs 173. Discard unsafe inputs 176. Restrict system objects 177. Avoid caching and temporary files 224. Use secure cryptographic mechanisms 261. Avoid exposing sensitive information 262. Verify third-party components 300. Mask sensitive data 320. Avoid client-side control enforcement 342. Validate request parameters 383. Sandboxing to limit model exposure to unverified data sources 077. Avoid disclosing technical information
OWASPLLM-LLM09:2025. Misinformation	316. Allow rectification requests
OWASPLLM-LLM10:2025. Unbounded Consumption	176. Restrict system objects 327. Set a rate limit 072. Set maximum response time 077. Avoid disclosing technical information

Last updated

2025/06/17