LLM Security — OWASP Top 10 2025
In 2026, every modern app integrates LLMs (chatbots, assistants, RAG, tool-using agents). HackerOne reported +210% YoY in AI vulnerabilities in 2025; prompt injection +540%. If you audit web, you need to audit AI.The OWASP Top 10 for LLM Applications v2025
introduced two new categories vs 2023: LLM07 System Prompt
Leakage and LLM08 Vector & Embedding Weaknesses. LLM02
(Sensitive Info Disclosure) climbed from #6 to #2.
OWASP LLM Top 10 — 2025 version
LLM01:2025 — Prompt Injection
Definition: input (direct or indirect via external content) alters model behavior, makes it ignore policies, exfiltrate data or invoke unauthorized tools. Direct payload:LLM02:2025 — Sensitive Information Disclosure
Definition: model or app reveals PII, credentials, training data or business logic in output. Payload:LLM03:2025 — Supply Chain
Definition: vulnerabilities in models, datasets, adapters (LoRA/PEFT) and third-party proxies. Cases:- PoisonGPT (Mithril Security 2023) — GPT-J-6B altered via
ROME published as
/EleuterAItyposquat. - +100 malicious models on HuggingFace detected by JFrog (Feb 2024).
- LiteLLM PyPI compromise (Mar 2026) — 40k pipelines in 40 min.
LLM04:2025 — Data and Model Poisoning
Definition: manipulation of pre-training, fine-tuning or embeddings to introduce backdoors or triggers. Payload (backdoor trigger inserted during fine-tuning):LLM05:2025 — Improper Output Handling
Definition: LLM output concatenated into code/SQL/HTML/shell without sanitization. The “classic XSS of the AI era”. Payload (XSS via chatbot):file:// URLs
generated by LLM).
Mitigation: treat output as untrusted input (zero-trust),
DOMPurify in HTML, prepared statements in SQL, scheme allowlist.
LLM06:2025 — Excessive Agency
Definition: LLM agent with tools/permissions/autonomy beyond necessary. Three axes: excessive functionality, excessive permissions, excessive autonomy. 2025 case: GitHub Copilot CVE-2025-53773 (RCE via prompt injection against millions of developers). Payload (tool injection against agent with email tool):read_doc only, not
delete_doc), human approval on irreversible actions, sandbox
per session.
LLM07:2025 — System Prompt Leakage NEW
Definition: system prompt contains secrets (API keys, business rules, transaction limits) and leaks. Attacker learns guardrails to bypass them. Case: banking chatbots leaking “Daily transaction limit $5000” — fraud rules bypass. Extraction payloads:LLM08:2025 — Vector & Embedding Weaknesses NEW
Definition: RAG pipeline vulnerabilities: vector DB poisoning, adversarial embeddings, cross-tenant leakage in shared stores. PoisonedRAG (USENIX Security 2025): 5 malicious texts per target question achieve 97-99% ASR on NQ/HotpotQA against PaLM 2. Payload (Vector Magnet — text optimized to collide with target query):LLM09:2025 — Misinformation
Definition: hallucinations + overconfidence produce incorrect but authoritative output. Replaces 2023’s “Overreliance”. Cases:- Air Canada chatbot (2024) — tribunal held airline responsible for bereavement fares invented by bot.
- Slopsquatting — attacker registers npm names that LLM hallucinates as recommendation.
LLM10:2025 — Unbounded Consumption
Definition: unlimited inference causing DoS, Denial-of-Wallet (DoW) or model theft (extraction). Real cases:- $46k/day in Sysdig LLMjacking (AWS Bedrock).
- $82k in 48h by stolen Gemini API key (Mar 2026).
Prompt Injection — deep analysis
Direct vs Indirect
- Direct: attacker is the user and manipulates the chatbox.
- Indirect: payload travels in data the LLM ingests (web page, PDF, email, Jira ticket, code comment). The legitimate user triggers the attack unknowingly.
Famous jailbreaks (2025-2026 status)
Indirect via RAG / documents
Payload embedded in a web page that will enter the context:Real defenses (what actually works)
- Spotlighting — delimit untrusted context with tags + datamarking.
- Dual LLM pattern — a “privileged” LLM never sees untrusted data.
- Azure Prompt Shields / XPIA classifier.
- Output filters + tool least-privilege.
- Human-in-the-loop on irreversible actions.
Emblematic 2025 case: EchoLeak
CVE-2025-32711, CVSS 9.3 — Discovered by Aim Labs, June 2025. First known zero-click prompt injection in a productive LLM system (Microsoft 365 Copilot). Attack chain:Confused Deputy in agents
The agent has privileges > the invoking user’s. Pattern:delete_*,transfer_funds,send_email_external,execute_shell,git_push --forcewithout human confirmation.- Globally-scoped credentials when only one is needed.
- Access to tools the use-case doesn’t require.
RAG Poisoning
Defense: cross-encoder re-ranker, content-trust (sign docs),
provenance metadata, tenant isolation, hash-based deduplication
against Sybil.
Tools to audit LLMs
Commercial platforms: Lakera Red,
Pillar Security,
Cisco AI Defense
(formerly Robust Intelligence), Protect AI.
Regulatory frameworks 2026
EU AI Act (Reg. 2024/1689)
Staggered entry:NIST AI RMF 1.0
Functions Govern / Map / Measure / Manage. Extended in 2024 with Generative AI Profile NIST AI 600-1. Non-binding but US reference.ISO/IEC 42001:2023
AI management system (analogous to ISO 27001). Auditable by BSI/DNV/TÜV. EU AI Act conformance can lean on 42001.Implications for auditors
- AI Act Art. 15 demands robustness, accuracy and cybersecurity in high-risk: documented red-teaming is practically mandatory.
- Art. 55 (GPAI with systemic risk) requires adversarial testing and model evaluation reportable to AI Office.
- ISO 42001 clause 6.1.2 = continuous AI risk assessment.
Real-world incident cases
Resources
- OWASP Top 10 for LLM Applications 2025 PDF v4.2.0a
- OWASP Gen AI Security Project
- Lakera — Indirect Prompt Injection
- Microsoft MSRC — Defending against IPI
- PoisonedRAG (USENIX Security 2025)
- Prompt Security — Vector Embedding Poisoning
- CSA — Confused Deputy in AI Agents
- EU AI Act — official portal
- NIST AI RMF
Related resources
- Tactical glossary — Type Confusion, Mass Assignment.
- Professional web recon — Backend fingerprinting.
- Report template — CVSS and MITRE.