Skip to main content

LLM Security — OWASP Top 10 2025

In 2026, every modern app integrates LLMs (chatbots, assistants, RAG, tool-using agents). HackerOne reported +210% YoY in AI vulnerabilities in 2025; prompt injection +540%. If you audit web, you need to audit AI.
The OWASP Top 10 for LLM Applications v2025 introduced two new categories vs 2023: LLM07 System Prompt Leakage and LLM08 Vector & Embedding Weaknesses. LLM02 (Sensitive Info Disclosure) climbed from #6 to #2.

OWASP LLM Top 10 — 2025 version

LLM01:2025 — Prompt Injection

Definition: input (direct or indirect via external content) alters model behavior, makes it ignore policies, exfiltrate data or invoke unauthorized tools. Direct payload:
Mitigation: channel separation (system vs user vs retrieved), least-privilege tools, semantic output validation, human-in-the-loop on sensitive actions.

LLM02:2025 — Sensitive Information Disclosure

Definition: model or app reveals PII, credentials, training data or business logic in output. Payload:
Mitigation: pre-training data sanitization, output filters (Presidio, DLP), least-privilege RAG, differential privacy.

LLM03:2025 — Supply Chain

Definition: vulnerabilities in models, datasets, adapters (LoRA/PEFT) and third-party proxies. Cases:
  • PoisonGPT (Mithril Security 2023) — GPT-J-6B altered via ROME published as /EleuterAI typosquat.
  • +100 malicious models on HuggingFace detected by JFrog (Feb 2024).
  • LiteLLM PyPI compromise (Mar 2026) — 40k pipelines in 40 min.
Mitigation: SBOM for models, hash pinning, weight scanning (ProtectAI ModelScan), HF namespace hijacking checks.

LLM04:2025 — Data and Model Poisoning

Definition: manipulation of pre-training, fine-tuning or embeddings to introduce backdoors or triggers. Payload (backdoor trigger inserted during fine-tuning):
Mitigation: data provenance, dataset diff vs baseline, gradient anomaly detection.

LLM05:2025 — Improper Output Handling

Definition: LLM output concatenated into code/SQL/HTML/shell without sanitization. The “classic XSS of the AI era”. Payload (XSS via chatbot):
Real case: AnythingLLM CVE-2024-0440 (SSRF via file:// URLs generated by LLM). Mitigation: treat output as untrusted input (zero-trust), DOMPurify in HTML, prepared statements in SQL, scheme allowlist.

LLM06:2025 — Excessive Agency

Definition: LLM agent with tools/permissions/autonomy beyond necessary. Three axes: excessive functionality, excessive permissions, excessive autonomy. 2025 case: GitHub Copilot CVE-2025-53773 (RCE via prompt injection against millions of developers). Payload (tool injection against agent with email tool):
Mitigation: fine-grained tools (read_doc only, not delete_doc), human approval on irreversible actions, sandbox per session.

LLM07:2025 — System Prompt Leakage NEW

Definition: system prompt contains secrets (API keys, business rules, transaction limits) and leaks. Attacker learns guardrails to bypass them. Case: banking chatbots leaking “Daily transaction limit $5000” — fraud rules bypass. Extraction payloads:
Mitigation: never put secrets in system prompt; secrets go outside the model (vault + tool with auth).

LLM08:2025 — Vector & Embedding Weaknesses NEW

Definition: RAG pipeline vulnerabilities: vector DB poisoning, adversarial embeddings, cross-tenant leakage in shared stores. PoisonedRAG (USENIX Security 2025): 5 malicious texts per target question achieve 97-99% ASR on NQ/HotpotQA against PaLM 2. Payload (Vector Magnet — text optimized to collide with target query):
Mitigation: vector DB tenant isolation, doc scanning before ingestion, content provenance, cross-encoder re-ranker.

LLM09:2025 — Misinformation

Definition: hallucinations + overconfidence produce incorrect but authoritative output. Replaces 2023’s “Overreliance”. Cases:
  • Air Canada chatbot (2024) — tribunal held airline responsible for bereavement fares invented by bot.
  • Slopsquatting — attacker registers npm names that LLM hallucinates as recommendation.
Payload (force exploitable hallucination):
Mitigation: RAG with cited sources, confidence scoring, human review in regulated domains, visible disclaimers.

LLM10:2025 — Unbounded Consumption

Definition: unlimited inference causing DoS, Denial-of-Wallet (DoW) or model theft (extraction). Real cases:
  • $46k/day in Sysdig LLMjacking (AWS Bedrock).
  • $82k in 48h by stolen Gemini API key (Mar 2026).
Payload (DoW via context-bomb):
Mitigation: hard quotas per user/tenant, billing alerts, token rate limiting (not requests), watermarking to detect extraction.

Prompt Injection — deep analysis

Direct vs Indirect

  • Direct: attacker is the user and manipulates the chatbox.
  • Indirect: payload travels in data the LLM ingests (web page, PDF, email, Jira ticket, code comment). The legitimate user triggers the attack unknowingly.

Famous jailbreaks (2025-2026 status)

Indirect via RAG / documents

Payload embedded in a web page that will enter the context:

Real defenses (what actually works)

  • Spotlighting — delimit untrusted context with tags + datamarking.
  • Dual LLM pattern — a “privileged” LLM never sees untrusted data.
  • Azure Prompt Shields / XPIA classifier.
  • Output filters + tool least-privilege.
  • Human-in-the-loop on irreversible actions.
What does NOT work alone: system prompt instructions like “ignore injected instructions” (trivial bypass), regex-based filters (encoding attacks), mass human review (doesn’t scale). Source: Microsoft MSRC — Defending against IPI (Jul 2025).

Emblematic 2025 case: EchoLeak

CVE-2025-32711, CVSS 9.3 — Discovered by Aim Labs, June 2025. First known zero-click prompt injection in a productive LLM system (Microsoft 365 Copilot). Attack chain:
Aim Labs categorized it as “LLM Scope Violation”. Microsoft patched server-side without traditional advisory. Sources: HackTheBox blog, Dark Reading, arXiv 2509.10540.

Confused Deputy in agents

The agent has privileges > the invoking user’s. Pattern:
Excessive Agency — an agent should NOT have:
  • delete_*, transfer_funds, send_email_external, execute_shell, git_push --force without human confirmation.
  • Globally-scoped credentials when only one is needed.
  • Access to tools the use-case doesn’t require.

RAG Poisoning

Defense: cross-encoder re-ranker, content-trust (sign docs), provenance metadata, tenant isolation, hash-based deduplication against Sybil.

Tools to audit LLMs

Commercial platforms: Lakera Red, Pillar Security, Cisco AI Defense (formerly Robust Intelligence), Protect AI.

Regulatory frameworks 2026

EU AI Act (Reg. 2024/1689)

Staggered entry:

NIST AI RMF 1.0

Functions Govern / Map / Measure / Manage. Extended in 2024 with Generative AI Profile NIST AI 600-1. Non-binding but US reference.

ISO/IEC 42001:2023

AI management system (analogous to ISO 27001). Auditable by BSI/DNV/TÜV. EU AI Act conformance can lean on 42001.

Implications for auditors

  • AI Act Art. 15 demands robustness, accuracy and cybersecurity in high-risk: documented red-teaming is practically mandatory.
  • Art. 55 (GPAI with systemic risk) requires adversarial testing and model evaluation reportable to AI Office.
  • ISO 42001 clause 6.1.2 = continuous AI risk assessment.

Real-world incident cases


Resources