OWASP Top 10 for Web Applications — 2025
The OWASP Top 10 is the broadest community consensus on what breaks web applications. The 2025 edition restructured the list (Software Supply Chain Failures is now its own category, a new Mishandling of Exceptional Conditions joined the list, and SSRF was absorbed into Broken Access Control). Each category below links to a page showing the underlying CWEs, related NIST 800-53 controls, and CVEs tagged with the category.
| Code | Category | Description | CWEs | CVEs | |
|---|---|---|---|---|---|
| 1 | A01:2025 | Broken Access Control | Authorization decisions fail or are bypassed, letting users do or see things they shouldn't. Includes path traversal, IDOR, missing function-level access checks, and CSRF. | 40 | 57,092 |
| 2 | A02:2025 | Security Misconfiguration | Defaults are weak, hardening is incomplete, cloud / framework / server settings leave attack surface exposed. | 16 | 2,003 |
| 3 | A03:2025 | Software Supply Chain Failures | Vulnerable, outdated, or compromised dependencies, build pipelines, and signing infrastructure. Expanded from 2021's 'Vulnerable and Outdated Components'. | 6 | 42 |
| 4 | A04:2025 | Cryptographic Failures | Sensitive data exposed in transit or at rest due to absent, weak, or misused cryptography. | 32 | 3,962 |
| 5 | A05:2025 | Injection | Untrusted input crosses an interpreter boundary without proper neutralization. SQL, OS command, LDAP, XSS, template injection. | 37 | 93,077 |
| 6 | A06:2025 | Insecure Design | Design-level weaknesses — missing or flawed controls baked into the architecture, irrespective of implementation quality. | 39 | 15,169 |
| 7 | A07:2025 | Authentication Failures | Identity verification can be bypassed, brute-forced, or hijacked. Credential stuffing, weak password reset flows, session-management mistakes. | 36 | 13,669 |
| 8 | A08:2025 | Software or Data Integrity Failures | Code or data is trusted without integrity verification — insecure deserialization, unsigned updates, CI/CD compromise paths. | 14 | 5,726 |
| 9 | A09:2025 | Security Logging and Alerting Failures | Security-relevant events aren't logged, alerts don't fire, or log integrity isn't protected — incidents go undetected. | 5 | 1,232 |
| 10 | A10:2025 | Mishandling of Exceptional Conditions | New for 2025. Error and exception paths leak information, fail open, or land in inconsistent states. Includes fail-open authentication and logic-flaw error handling. | 24 | 7,945 |
Data: OWASP Top 10:2025 (CC BY-SA 4.0) · CWE memberships from cwe-api.mitre.org. Companion list: OWASP Top 10 for LLM Applications 2025.