TKOResearch
Menu
OWASP LLM Top 10 guide

LLM05:2025

Improper Output Handling

Improper output handling occurs when model output is trusted as safe code, markup, commands, database input, tool arguments, or business decisions without validation.

Step 01

Input

Step 02

Model

Step 03

Tool / Data

Step 04

Impact

What it is

The application treats probabilistic model output as a trusted system instruction or safe data object before applying schema validation, escaping, policy checks, and human review where needed.

Why it matters

Bad output handling can turn a model response into code execution, unsafe content, broken workflow state, customer-facing errors, or unauthorized tool actions.

Failure path

How it usually fails.

A useful review breaks this chain before the system reaches production data, tools, or customer-facing decisions.

Path 01

Influence the model to emit unsafe HTML, code, command text, SQL-like input, tool arguments, or workflow instructions.

Path 02

Rely on the application to pass that output into an interpreter, renderer, database, API, or human workflow.

Path 03

Trigger downstream effects outside the model boundary.

Defenses

Controls worth checking.

The strongest controls are enforced outside the model and can be retested after a prompt, model, or workflow change.

Control 01

Validate structured output

Use strict schemas, allowlists, type checks, and server-side policy checks before using model output as application input.

Control 02

Escape and sandbox rendering

Treat generated markup, code, files, and links as untrusted until escaped, scanned, or executed in a constrained environment.

Control 03

Separate advice from execution

Do not let model text directly become tool arguments for sensitive operations without a deterministic validation layer.

Signals to review

  • Model output passed directly to APIs, shells, browsers, databases, or template renderers.
  • Generated links, HTML, or files displayed without sanitization.
  • Tool arguments derived from free-form output instead of strict objects.

Questions for your team

  • Where does model output become input to another system?
  • Are schemas enforced after generation or only requested in the prompt?
  • Can unsafe generated content reach a browser, shell, database, or API?