Fluid Attacks Database

OWASP Top 10 for LLM Applications

Last updated: 2025/06/17

The OWASP Top 10 for Large Language Model Applications highlights the most critical security risks in LLM applications, explaining their potential impact, ease of exploitation, and prevalence in real-world applications.

Control-Requirement Mapping

Definition	Requirements
LLM01:2025. Prompt Injection	160. Encode system outputs 173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters 382. Human in the loop
LLM02:2025. Sensitive Information Disclosure	173. Discard unsafe inputs 176. Restrict system objects 177. Avoid caching and temporary files 224. Use secure cryptographic mechanisms 261. Avoid exposing sensitive information 300. Mask sensitive data 342. Validate request parameters 077. Avoid disclosing technical information
LLM03:2025. Supply Chain	262. Verify third-party components
LLM04:2025. Data and Model Poisoning	173. Discard unsafe inputs 262. Verify third-party components 383. Sandboxing to limit model exposure to unverified data sources
LLM05:2025. Improper Output Handling	173. Discard unsafe inputs 265. Restrict access to critical processes 321. Avoid deserializing untrusted data 342. Validate request parameters
LLM06:2025. Excessive Agency	186. Use the principle of least privilege 382. Human in the loop
LLM07:2025. System Prompt Leakage	173. Discard unsafe inputs 176. Restrict system objects 177. Avoid caching and temporary files 224. Use secure cryptographic mechanisms 261. Avoid exposing sensitive information 300. Mask sensitive data 342. Validate request parameters 077. Avoid disclosing technical information
LLM08:2025. Vector and Embedding Weaknesses	160. Encode system outputs 173. Discard unsafe inputs 176. Restrict system objects 177. Avoid caching and temporary files 224. Use secure cryptographic mechanisms 261. Avoid exposing sensitive information 262. Verify third-party components 300. Mask sensitive data 320. Avoid client-side control enforcement 342. Validate request parameters 383. Sandboxing to limit model exposure to unverified data sources 077. Avoid disclosing technical information
LLM09:2025. Misinformation	316. Allow rectification requests
LLM10:2025. Unbounded Consumption	176. Restrict system objects 327. Set a rate limit 072. Set maximum response time 077. Avoid disclosing technical information

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.