OWASP Top 10 for Large Language Models¶

Estimated time to read: 3 minutes

In an era where digital advancements permeate every aspect of our lives, large language models (LLMs) stand out as transformative technology. These AI models, known for their ability to generate human-like text, have various applications, from virtual assistance to content creation, language translation, and beyond. However, along with the benefits come many cybersecurity challenges that warrant urgent attention.

Similarly, as the Open Web Application Security Project (OWASP) highlights the most critical security risks to web applications, this article introduces the OWASP Top 10 for Large Language Models (2025 version) under the broader OWASP GenAI Security Project. This set of risks addresses LLMs' unique challenges, recognising that vulnerabilities in these AI systems can have serious implications, just as with traditional software.

These risks range from Prompt Injections (LLM01), akin to the well-known SQL injection attacks but adapted to LLMs, to Training Data Poisoning (LLM03), a threat uniquely relevant to machine learning models. Issues such as Denial of Service (LLM04), a well-established risk in traditional systems, appear alongside newer threats like Excessive Agency (LLM08), reflecting the evolving interaction between AI and other systems.

The potential for security breaches, propagation of misinformation, data leakage, and the compromise of system integrity, among other threats, necessitates a robust and comprehensive approach to the security of LLMs. Consequently, the cybersecurity strategies applied to traditional software systems must be reimagined and reinforced to cater to the nuances of LLMs.

This list of the Top 10 risks is not only a call to action for researchers, developers, and users of LLMs but also serves as a roadmap for prioritising security efforts in the realm of AI. The overall aim is to ensure that as we reap the benefits of AI advancements, we do not compromise on security, privacy, and trust. The ethical use of AI, anchored on a strong cybersecurity foundation, is paramount to harnessing its full potential responsibly and safely.

You can find the original list at the OWASP GenAI Security Project.

LLM01: Prompt Injection Direct (jailbreaks) and indirect (hidden in external data) injections that allow attackers to manipulate the LLM's outputs and subvert its safety parameters.

LLM02: Insecure Output Handling When downstream systems accept LLM outputs without proper sanitization, leading to XSS, CSRF, SSRF, or remote code execution.

LLM03: Training Data Poisoning Intentionally manipulating training or fine-tuning data to introduce backdoors or cause the model to behave maliciously.

LLM04: Model Denial of Service Attacks that consume excessive resources by causing the model to perform highly intensive text generation or computation, halting service for others.

LLM05: Supply Chain Vulnerabilities Compromises affecting the entire LLM ecosystem: malicious models on HuggingFace, tampered datasets, or vulnerable ML libraries.

LLM06: Sensitive Information Disclosure When an LLM inadvertently exposes PII, proprietary data, or confidential information it memorized during training or fine-tuning.

LLM07: System Prompt Leakage (New in 2025) Attackers extracting the hidden, backend instructions (the system prompt) that define the agent's behavior and access boundaries.

LLM08: Vector and Embedding Weaknesses (New in 2025) Specific to RAG (Retrieval-Augmented Generation) architectures. Attackers poisoning a vector database to manipulate search results and force the LLM to output malicious content.

LLM09: Misinformation (New in 2025) The weaponization of LLMs to dynamically generate highly convincing disinformation, deepfakes, or social engineering attacks at scale.

LLM10: Unbounded Consumption (New in 2025) Attacks targeting the financial or computational resources of the provider by manipulating autonomous agents to invoke expensive external tools or unbounded loops (Wallet Exhaustion).