LLM01:2025
Prompt Injection
Prompt injection happens when an attacker uses instructions in user input, documents, webpages, tickets, or tool output to change the model's intended behavior.
Open guideOWASP Top 10 for LLM Applications 2025
A practical guide to prompt injection, sensitive data exposure, RAG boundaries, model supply chain, unsafe output handling, excessive agency, and the rest of the OWASP LLM Top 10.
Prompt Injection
Open the category guide
Sensitive Information Disclosure
Open the category guide
Supply Chain
Open the category guide
Data and Model Poisoning
Open the category guide
Improper Output Handling
Open the category guide
Excessive Agency
Open the category guide
System Prompt Leakage
Open the category guide
Vector and Embedding Weaknesses
Open the category guide
Misinformation
Open the category guide
Unbounded Consumption
Open the category guide
Untrusted input
Model context
Tools and data
Control layer
Decision record
The list is most useful when each category maps to a concrete system boundary: who can influence the model, what data can enter context, which tools can act, and what control stops a bad path before it reaches production.
Category guides
Each page explains the risk, shows a common chain, and lists the controls an engineering or security team can actually review.
LLM01:2025
Prompt injection happens when an attacker uses instructions in user input, documents, webpages, tickets, or tool output to change the model's intended behavior.
Open guideLLM02:2025
Sensitive information disclosure occurs when an AI system exposes secrets, regulated data, customer records, proprietary material, or internal context through outputs, logs, tools, or retrieval.
Open guideLLM03:2025
Supply chain risk covers compromised or unreviewed models, datasets, plugins, packages, MCP servers, prompts, templates, infrastructure, and vendors used by the AI application.
Open guideLLM04:2025
Data and model poisoning happens when training, fine-tuning, RAG, feedback, or memory data is manipulated so the AI system learns or retrieves attacker-shaped behavior.
Open guideLLM05:2025
Improper output handling occurs when model output is trusted as safe code, markup, commands, database input, tool arguments, or business decisions without validation.
Open guideLLM06:2025
Excessive agency occurs when an AI system has more autonomy, permissions, tools, or action scope than the task requires.
Open guideLLM07:2025
System prompt leakage happens when hidden instructions, policy text, tool rules, internal routing logic, or operational context is exposed through model responses.
Open guideLLM08:2025
Vector and embedding weaknesses affect RAG systems when embeddings, vector stores, chunking, metadata, retrieval filters, or similarity logic expose or distort context.
Open guideLLM09:2025
Misinformation occurs when an AI system produces false, unsupported, outdated, or misleading output that users or downstream systems treat as reliable.
Open guideLLM10:2025
Unbounded consumption occurs when attackers or faulty workflows drive excessive model calls, token usage, context growth, tool loops, compute, cost, or availability impact.
Open guideUse it in review
OWASP gives the categories. The work is translating them into testable boundaries, named owners, and controls that survive model upgrades and product changes.
Read the official OWASP 2025 PDFMap each category to runtime components.
Test direct and indirect prompt paths.
Inventory MCP, OAuth, and tool authority.
Review RAG source, tenant, and vector boundaries.
Set launch criteria with named owners.
Keep regression probes after remediation.