What are the two new categories in OWASP Top 10:2025?

OWASP Top 10:2025 introduces A03 - Software Supply Chain Failures (addressing malicious dependencies, compromised build systems, and tampered distribution) and A10 - Mishandling of Exceptional Conditions (covering improper error handling, logical errors, and insecure failure states).

What is the #1 web application security risk in 2025?

Broken Access Control maintains its position as the #1 security risk in OWASP Top 10:2025, affecting 3.73% of tested applications with over 318,000 occurrences in the dataset. It now includes Server-Side Request Forgery (SSRF).

How has the OWASP Top 10 methodology changed in 2025?

The 2025 edition shifted focus from symptoms to root causes, analyzed 589 CWEs (up from ~400 in 2021), incorporated 175,000 CVE records with CVSS scoring, and combined data-driven analysis with community input.

What is the A03 Software Supply Chain Failures category?

A03, which became an official category as the community's #1 concern, addresses supply chain attacks that exploit trust in dependencies, build systems and distribution channels. SolarWinds (2020), Log4j (2021) and XZ Utils (2024) are notable examples. Although it has the smallest data formation, it has the highest average exploit and impact scores.

Why did Injection vulnerabilities drop to #5?

Injection dropped from #1 in 2017 to #3 in 2021 and to #5 in 2025. This decline reflects real security improvements: adoption of modern frameworks with parameterized queries and ORM layers, SAST tools that catch injection patterns during development, and twenty years of awareness campaigns making injection prevention a foundational skill.

What does the A10 Mishandling of Exceptional Conditions category cover?

The new A10 category recognizes the importance of how applications fail. It includes 24 CWEs such as faulty error handling, logical errors, open fail, race conditions (TOCTOU) and leaking stack traces with detailed error messages. Secure systems 'fail closed' — failures result in access denial, not in skipped checks.

What is the philosophical shift in OWASP Top 10:2025?

The 2025 release explicitly prioritizes root causes over symptoms. Previous releases sometimes mixed them — 'Sensitive Data Exposure' explained what, not why. The 2025 framework asks: which fundamental weakness made the result possible? This approach lets you focus on the true source of the problems.

What should security programs do for OWASP Top 10:2025?

Six fundamental steps: 1) Implement Software Composition Analysis (SCA) for the supply chain, 2) Prioritize configuration management and automate compliance checking, 3) Strengthen access control testing, 4) Review error-handling patterns, 5) Update training materials, 6) Align WAF rules with 2025 categories.

How many CWEs and CVEs were analyzed in OWASP Top 10:2025?

589 CWEs were analyzed in the 2025 release (up from ~400 in 2021), and 175,000 CVE records were mapped from the NVD database. This expanded dataset let the rankings reflect more comprehensive threat analysis.

Which category was SSRF moved into in 2025?

Server-Side Request Forgery (SSRF — CWE-918), previously A10:2021, was moved into A01 Broken Access Control in 2025. This category now covers 40 CWEs and includes CWE-200 (Sensitive Information Disclosure), CWE-352 (CSRF) and SSRF.

OWASP Top 10:2025 Analysis: New Categories and Shifting Priorities

Executive Summary

The OWASP Top 10 serves as the industry's definitive ranking of web application security risks. On November 6, 2025, OWASP released the 2025 edition—the first major update since 2021. This isn't just an incremental revision; it reflects fundamental changes in the threat landscape and how we think about application security.

Two new categories headline the update: Software Supply Chain Failures (A03) addresses the growing threat of compromised dependencies, malicious packages, and tampered build pipelines. Mishandling of Exceptional Conditions (A10) recognizes that how applications fail is as important as how they succeed. Meanwhile, Broken Access Control maintains its position at #1, while Security Misconfiguration jumped from #5 to #2.

Beyond the rankings, the 2025 edition represents a philosophical shift from symptoms to root causes. Where previous versions might flag 'Sensitive Data Exposure,' the new framework identifies 'Cryptographic Failures'—the underlying weakness that enables exposure. This report analyzes each category, explains the ranking changes, and provides actionable guidance for security programs adapting to the new framework.

2025 Edition by the Numbers

589

CWEs Analyzed

Up from ~400 in 2021

OWASP

175K

CVE Records

Mapped from NVD database

OWASP

New Categories

Supply Chain & Exceptional Conditions

OWASP

3.73%

Access Control Failures

Applications with BAC issues

OWASP

2021 vs 2025: Complete Ranking Comparison

The 2025 update reshuffles several categories and introduces two new entries. Understanding these changes helps prioritize security investments.

2025 Rank	Category	2021 Rank	Change	CWEs
A01	Broken Access Control	#1	Stable (SSRF merged)	40
A02	Security Misconfiguration	#5	+3 positions	16
A03	Software Supply Chain Failures	NEW	Community priority #1	5
A04	Cryptographic Failures	#2	-2 positions	32
A05	Injection	#3	-2 positions	38
A06	Insecure Design	#4	-2 positions	—
A07	Authentication Failures	#7	Stable	36
A08	Software/Data Integrity Failures	#8	Stable	—
A09	Logging & Alerting Failures	#9	Stable (renamed)	5
A10	Mishandling of Exceptional Conditions	NEW	24 CWEs consolidated	24

A01:2025 – Broken Access Control

Maintaining its position at #1 for the second consecutive edition, Broken Access Control remains the most critical web application security risk. In 2025, SSRF has been merged into this category.

Prevalence: 3.73%

Of all applications tested, 3.73% exhibited broken access control vulnerabilities. With over 318,000 occurrences, it has the highest occurrence rate.

40 CWEs Covered

The largest category includes CWE-200 (Exposure of Sensitive Information), CWE-352 (CSRF), and now CWE-918 (SSRF).

94% Testing Coverage

Nearly all applications (94%) were tested for broken access control, demonstrating industry-wide awareness.

SSRF Now Included

Server-Side Request Forgery, previously A10:2021, has been merged into Broken Access Control.

A02:2025 – Security Misconfiguration (Up from #5)

The most dramatic ranking change in 2025 sees Security Misconfiguration surge from fifth to second place. This reflects a growing recognition that many security incidents stem not from sophisticated exploits but from basic configuration errors that create exploitable conditions.

This category encompasses default configurations left unchanged, unnecessary features enabled, verbose error messages that leak information, missing security headers, outdated software, and insecure cloud storage permissions. The rise to #2 sends a clear message: organizations must treat configuration management as a security-critical function.

With 16 CWEs affecting 3.00% of tested applications, misconfigurations often represent low-hanging fruit for attackers. They require no specialized tools or zero-day exploits—just the patience to probe for common weaknesses.

A03:2025 – Software Supply Chain Failures (NEW)

The community's #1 concern becomes an official category. Supply chain attacks exploit trust in dependencies, build systems, and distribution channels. Notable incidents include SolarWinds (2020), Log4j (2021), and XZ Utils (2024). While this category has the fewest data occurrences (5 CWEs), it has the highest average exploit and impact scores—making successful attacks catastrophically damaging. Organizations must verify component integrity, monitor dependency updates, and implement software composition analysis.

The Injection Decline: From #1 to #5

Injection vulnerabilities, once the undisputed king of web application risks, have fallen from #1 (2017) to #3 (2021) to #5 (2025). This decline reflects genuine security improvements.

Framework Adoption

Modern frameworks with parameterized queries, prepared statements, and ORM layers have made SQL injection structurally harder to introduce.

Static Analysis

SAST tools effectively detect injection patterns during development, catching vulnerabilities before production.

Developer Education

Two decades of awareness campaigns have made injection prevention a fundamental skill taught in every security training.

A04:2025 – Cryptographic Failures (Down from #2)

Cryptographic Failures dropped two positions to #4, though this doesn't indicate reduced importance. Rather, the rise of misconfiguration and supply chain concerns has displaced it relatively. With 32 CWEs and a 3.80% prevalence rate, cryptographic weaknesses remain significant.

This category addresses failures in protecting data at rest and in transit: weak algorithms, improper key management, insufficient entropy, deprecated protocols, and certificate validation bypasses. The emphasis on 'failures' rather than 'exposure' reflects OWASP's shift toward root causes.

A10:2025 – Mishandling of Exceptional Conditions (NEW)

The second new category recognizes that how applications fail matters as much as how they succeed.

This category contains 24 CWEs focusing on improper error handling, logical errors, failing open, race conditions, and other scenarios stemming from abnormal conditions. When systems encounter unexpected inputs or states, their failure mode determines whether an attacker gains access.

Secure systems 'fail closed'—when something goes wrong, they deny access. Insecure systems 'fail open'—errors result in bypassed controls. A classic example: a login system that grants access when the authentication database is unreachable.

Verbose error messages reveal stack traces, database schemas, file paths, and internal logic. Attackers use this information to refine attacks. Production systems should show generic errors while logging details server-side.

Time-of-check to time-of-use (TOCTOU) vulnerabilities allow attackers to exploit the gap between when a condition is verified and when it's acted upon. These logical errors can bypass authentication, authorization, and financial controls.

These weaknesses were previously grouped under 'poor code quality,' but their security impact warrants dedicated focus. As applications grow more complex with distributed architectures, the number of exceptional conditions—and opportunities for mishandling—has exploded.

Philosophical Shift: Root Causes Over Symptoms

The 2025 edition explicitly prioritizes root causes over symptoms. Previous versions sometimes mixed them—'Sensitive Data Exposure' describes what happened, not why. The 2025 framework asks: what underlying weakness enabled the outcome? This shifts security conversations from incident response ('data was exposed') to prevention ('cryptography was misconfigured'). For practitioners, this means addressing categories at their source rather than treating individual manifestations.

What This Means for Your Security Program

Implement Software Composition Analysis

With supply chain failures now at A03, you need continuous visibility into dependencies. Deploy SCA tools that identify vulnerable components, detect malicious packages, and alert on integrity violations.

Prioritize Configuration Management

Security Misconfiguration's jump to #2 demands attention. Implement configuration baselines, automate compliance checking, and treat configuration drift as a security incident.

Strengthen Access Control Testing

Broken Access Control at #1 with 318,000+ occurrences means your access control model needs rigorous testing. Implement automated authorization testing and verify every endpoint.

Review Error Handling Patterns

The new Exceptional Conditions category requires reviewing how your applications fail. Audit error handling for information leakage, verify 'fail closed' behavior, and test race conditions.

Update Training Materials

If your developer training still emphasizes injection as the #1 risk, update it. Focus training on access control, configuration, and the new categories.

Align WAF Rules with 2025 Categories

Ensure your Web Application Firewall ruleset addresses all 2025 categories. Legacy rulesets optimized for injection may underweight access control and misconfiguration detection.

References & Sources

OWASP Top 10:2025 RC1 - Primary source for category definitions, statistics, and methodology changes. https://owasp.org/Top10/2025/0x00_2025-Introduction/

Official project page with historical versions and supplementary materials. https://owasp.org/www-project-top-ten/

Developer-focused analysis of the 2025 changes. https://www.aikido.dev/blog/owasp-top-10-2025-changes-for-developers

Industry perspective on what changed and what you need to know. https://www.fastly.com/blog/new-2025-owasp-top-10-list-what-changed-what-you-need-to-know

Deep dive into the new supply chain category. https://eclypsium.com/blog/owasp-top-10-2025-software-supply-chain-risk/

Align Your Security with OWASP 2025

The OWASP Top 10:2025 reshapes how we prioritize web application security. TR7's integrated security platform provides defense-in-depth against all ten categories.

Explore WAF Protection

OWASP Top 10:2025 Analysis

Executive Summary

2025 Edition by the Numbers

2021 vs 2025: Complete Ranking Comparison

A01:2025 – Broken Access Control

Prevalence: 3.73%

40 CWEs Covered

94% Testing Coverage

SSRF Now Included

A02:2025 – Security Misconfiguration (Up from #5)

The Injection Decline: From #1 to #5

Framework Adoption

Static Analysis

Developer Education

A04:2025 – Cryptographic Failures (Down from #2)

A10:2025 – Mishandling of Exceptional Conditions (NEW)

What This Means for Your Security Program

Implement Software Composition Analysis

Prioritize Configuration Management

Strengthen Access Control Testing

Review Error Handling Patterns

Update Training Materials

Align WAF Rules with 2025 Categories

TR7 Protection Across OWASP Top 10:2025

Broken Access Control

Security Misconfiguration

Injection Defense

Cryptographic Enforcement

Error Handling Protection

Real-Time Monitoring

References & Sources

Align Your Security with OWASP 2025