Sign in Subscribe
By E. Kohler in Security

OWASP Top 10:2025 - Two New Categories and a Fundamental Reprioritisation of Application Security Risks

The OWASP Top 10:2025 introduces two new categories and implements significant repositioning of existing risks, reflecting a shift in the threat landscape from isolated code flaws to systemic vulnerabilities affecting entire development cycles. Software Supply Chain Failures establishes itself as the third-highest risk and addresses the growing sophistication of attacks on dependencies and build infrastructure, while Mishandling of Exceptional Conditions debuts at position ten and acknowledges that error handling is a fundamental security control. At the same time, Security Misconfiguration moves from position five to position two, while Server-Side Request Forgery has been consolidated into Broken Access Control.

Methodological Approach and Data Basis

The 2025 prioritisation methodology balances multiple risk dimensions rather than relying on individual metrics. OWASP calculated incidence rates by determining what percentage of tested applications contained at least one instance of each CWE category. The analysis covered data from more than 2.8 million applications, making it the most comprehensive vulnerability dataset ever compiled. The final risk scoring algorithm integrated five dimensions: maximum incidence rate, maximum coverage, average exploit score, average impact score, and total occurrences.

A03:2025 Software Supply Chain Failures: Critical Ecosystem Risk

Software Supply Chain Failures is an evolution of the 2021 category "Vulnerable and Outdated Components". The 2025 expansion recognises that the supply chain includes every component and tool involved in building, integrating, testing, and distributing software, from developer workstations and build servers to artefact repositories.

The 2020 SolarWinds Orion attack demonstrated the devastating potential of supply chain attacks, when attackers gained access to build infrastructure and injected malicious code into legitimate software updates distributed to approximately 18,000 organisations. The GlassWorm supply chain attack in 2025 targeted the Visual Studio Code Marketplace with a self-replicating worm that automatically updated on developer machines.

These incidents highlight critical aspects: supply chain compromises can affect hundreds of thousands or millions of downstream users through a single attack, detection becomes exponentially more difficult because the malicious code appears legitimate, and attackers are increasingly targeting developer machines themselves.

OWASP recommends comprehensive supply chain hardening, including software bill of materials tracking, continuous monitoring of vulnerability disclosures, hardening of code repositories with branch protection and multi-factor authentication, continuous patching on developer workstations, and strong separation of duties in build pipelines.

A10:2025 Mishandling of Exceptional Conditions: Error Handling as a Security Control

Mishandling of Exceptional Conditions elevates phenomena previously categorised as "code quality issues" into formal security risk categories. This category reflects growing understanding that improper error handling creates exploitable security weaknesses.

The category covers 24 CWEs focusing on improper error handling, logic errors, and "fail-open" conditions. Mishandling can manifest through three failure modes: first, when applications do not prevent exceptional circumstances from occurring at all; second, when errors are not detected, as a function might ignore error return codes without throwing exceptions; and third, when the response to detected errors is poor or absent, such as an application displaying raw stack traces with sensitive system information.

The "fail-open" failure mode deserves particular attention: when a security control encounters an error and implicitly grants access rather than denying it. The principle of secure failure requires that systems default to "deny" when security controls fail.

Poor error handling can enable race conditions, enable fraudulent transactions, and amplify denial-of-service attacks. The practical recommendation includes structured exception handling at every code level with meaningful responses that address the underlying problem.

A02:2025 Security Misconfiguration: Elevated to Second Priority

Security Misconfiguration rises from A05:2021 to A02:2025. This repositioning reflects a notably increased prevalence in test data, with an average incidence rate of 3.00 percent.

The category covers 16 CWEs addressing configuration issues in systems, applications, and cloud services. Common scenarios include default accounts with known passwords, unnecessary features left enabled, directory listing not disabled, and excessively verbose error messages revealing stack traces. Cloud storage services often suffer from misconfiguration where default sharing permissions expose data to the public internet.

Persistent Top Categories: A01, A04, and A05

A01:2025 Broken Access Control retains its position as the most serious application security risk, with an average incidence rate of 3.73 percent and 40 associated CWEs. The category covers insecure direct object references, privilege escalation, CORS misconfigurations, token manipulation, and Server-Side Request Forgery.

A04:2025 Cryptographic Failures drops from A02:2021 to A04:2025 with an average incidence rate of 3.80 percent. Common scenarios include outdated encryption algorithms, default cryptographic keys, cryptographic keys in source code repositories, and failure to enforce encryption for sensitive data in transit.

A05:2025 Injection holds its position from A05:2021 with 38 associated CWEs. The category addresses scenarios where user-supplied data is not properly validated, filtered, or sanitised before being used in interpreters.

Consolidation of Server-Side Request Forgery into Broken Access Control

The consolidation of A10:2021 Server-Side Request Forgery into A01:2025 Broken Access Control reflects improved understanding of SSRF vulnerability mechanics. SSRF fundamentally represents a failure to control which resources a server can access on behalf of users, which is an access control failure.

Organisational Implications

The cumulative effect of the 2025 changes signals a broader shift towards integrating security throughout the software development lifecycle. The elevation of Software Supply Chain Failures emphasises that organisations must secure build infrastructure and developer workstations as intensively as production systems. The introduction of Mishandling of Exceptional Conditions reflects the recognition that error handling is a core security control. The rise of Security Misconfiguration emphasises that operational hardening must keep pace with the rapid evolution of cloud platforms.

OWASP recommends that organisations establish clear security programme foundations, integrate security into existing development and operational processes, implement comprehensive security education programmes, and provide senior stakeholders with visibility into application security programme health through metrics-based decision-making.

For development teams, the 2025 framework requires secure design and threat modelling practices before writing code, structured exception handling across all critical flows, and comprehensive testing of supply chain integrity mechanisms. For security teams, the framework requires that assessment approaches extend beyond traditional source code review to supply chain component analysis and CI/CD pipeline security validation. For organisations, the framework indicates that meaningful security progress requires cross-functional collaboration.

Sources & References

Summarised with the help of AI.

Previous

The BSI Situation Report 2025: Exploits and Data Leaks as Emerging Threat Trends

 Next

🛡️ Fortinet Monthly Recap | November 2025

You might also like...