The OWASP LLM Top 10 (2025) Changed More Than the Numbering

The OWASP Top 10 for Large Language Model Applications is the closest thing the field has to a shared vocabulary, which is why every revision matters more than a typical list update. The 2025 edition is not a cosmetic renumber. It adds two categories that practitioners had been treating as sub-cases, and it reframes the supply-chain entry in a way that changes how you scope an assessment. This is the working summary — what moved, and what it means for the controls you already shipped.

The two genuinely new entries

System-prompt leakage got its own category. For two years, “the model revealed its system prompt” was filed under prompt injection or sensitive-information disclosure. Promoting it to a standalone entry is an admission that teams kept getting this wrong: they treated the system prompt as a secret and built product logic that assumed it would stay one. It will not. The correct posture is that the system prompt is recoverable by a determined user, so it must not contain credentials, internal URLs, unredacted business rules, or anything whose disclosure is itself the harm. The control is not “make the prompt unleakable” — that is unachievable — it is “design as if it leaks on day one.”

Vector and embedding weaknesses are now first-class. As retrieval-augmented generation became the default architecture, the attack surface moved into the vector store. The new category covers embedding inversion (reconstructing source text from stored vectors), cross-tenant leakage in shared indexes, and retrieval poisoning where attacker-controlled documents are written into the corpus and later surface as “grounding.” If you ship RAG, the relevant question is no longer “is the LLM safe” but “who can write to the index, and what happens when a poisoned chunk is retrieved with full trust.”

The reframed supply-chain entry

Earlier versions described supply-chain risk in mostly classical terms — vulnerable Python packages, compromised dependencies. The 2025 framing widens it to the model supply chain specifically: tampered model weights, poisoned fine-tuning datasets, malicious adapters and LoRAs pulled from public hubs, and the provenance gap when a “base model” has an unverifiable training history. This matters because most teams have a software SBOM story and almost no model-provenance story. The asymmetry is the finding.

What did not change, and why that is the real signal

Prompt injection remains the number-one entry. Three years into widespread LLM deployment, the field has not produced a general defense — only mitigations that raise cost: input/output filtering, privilege separation between the model and the tools it can call, and treating all model output as untrusted before it touches an action. The persistence of injection at the top is the most honest line in the document. Anyone selling “prompt-injection-proof” is selling the absence of a solution.

What to actually do this week

• Audit your system prompt as if it is public. Grep it for secrets, internal hostnames, and business rules whose disclosure is the harm. Move those into server-side policy that the model cannot recite.
• Map write access to your vector store. Every path that can insert a document is a poisoning path. Gate ingestion, attribute provenance per chunk, and treat retrieved content as untrusted input to the prompt, not as ground truth.
• Start a model SBOM, even a bad one. A spreadsheet of every model, adapter, and fine-tune dataset in production, with source and a hash, beats the nothing most teams have.
• Re-test injection against tool-calling, not chat. The dangerous case in 2026 is an agent that can act, not a chatbot that can talk. Your old chat-only red-team set undercounts the real exposure.

The Top 10 is a floor, not a program. Treat the 2025 changes as confirmation of where the field’s blind spots actually are: provenance, retrieval trust, and the durable absence of an injection fix. Build for those, and revisit when the next revision moves the furniture again.

— Theo