The Open Worldwide Application Security Project (OWASP) provides guidance on governance, risk management, and compliance for LLM deployment. Led by more than five hundred experts in cybersecurity, AI and IT, the project serves thousands of members – from developers and data scientists to compliance officers and security practitioners – who seek knowledge concerning risks and security solutions for LLM apps and GenAI.
One of OWASP’s most prominent resources for security best practices is its Top 10 for LLM Applications & Generative AI, which lays out the most critical LLM vulnerabilities found in applications that use LLMs. Prompt Security CEO & Co-founder Itamar Golan, an expert in GenAI Security, played a significant role in the list’s compilation and continues to contribute to the intermittent release of new OWASP resources on security guidance.
OWASP Top 10 for LLM Applications and GenAI in 2025
1. Prompt Injection
When an attacker manipulates a large language model (LLM) through carefully crafted inputs.
They embed hidden commands in AI model prompts that exploit the model’s pattern-matching behavior to override original instructions. This can cause the model to output unintended, malicious, or harmful content.
This is especially prevalent in applications that chain LLM or AI model responses into backend actions without verification.
Prevention and mitigation:
- Measures that can mitigate the impact of prompt injections include enforcing privilege control on LLM access to backend systems.
- Adding a human in the loop for extended functionality.
- Segregating external content from user prompts.
- Instructing models to ignore attempts to modify core instructions.
2. Sensitive Information Disclosure
Sensitive data is undesirably revealed as a consequence of either LLM integration (i.e., an LLM application revealing sensitive data via its outputs) or LLM usage (i.e., a user feeding sensitive data into an external LLM app).
This vulnerability arises when models leak training data or expose private or regulated information through outputs. It can also occur when users unintentionally input sensitive data into third-party LLM interfaces.
These incidents may breach confidentiality and violate data protection laws like GDPR or HIPAA. Robust data security practices are necessary to limit exposure and protect user trust.
Prevention and mitigation:
- Enforce strict access control methods to external data sources.
- Use data sanitization and cleansing to prevent user data from entering the training model data.
3. Supply Chain
When third-party datasets, pre-trained models, and plugins render LLM applications susceptible to security attacks.
Supply chain risks are introduced when LLMs rely on external models, libraries, or datasets that may be tampered with or not maintained securely. A compromised third-party component can introduce vulnerabilities into otherwise secure systems.
Prevention and mitigation:
- Vet suppliers and their policies.
- Use third-party model integrity checks with signing and file hashes, as well as code signing for externally supplied code.
- Conduct regular updates of component inventory.
4. Data and Model Poisoning
When pre-training data, the fine-tuning process, or embedding data is manipulated so as to enable vulnerabilities that compromise a model’s security, effectiveness, or ethical behavior.
Malicious actors may inject poisoned data into the model’s training pipeline to subtly alter its behavior. This can lead to biased responses, backdoors, or unethical outputs that are hard to detect but dangerous in production environments.
Training data poisoning can persist undetected unless validation and verification processes are in place.
Prevention and mitigation:
- Track data origins and transformations, and verify data legitimacy during all model development stages.
- Validate model outputs against trusted sources to detect signs of poisoning.
- Ensure sufficient infrastructure controls to prevent undesired access to data sources.
5. Improper Output Handling
When backend systems are exposed due to an LLM output being accepted and passed downstream without sufficient validation, sanitization, and handling. Potential consequences of exploitation include XSS and CSRF in web browsers and SSRF, privilege escalation, and remote code execution on backend systems.
LLM outputs may include executable code, URLs, or HTML. If not sanitized, they could be executed in client or server environments. Treating LLM output as inherently safe can turn a user-driven response into an attack vector.
Prevention and mitigation:
- Apply proper input validation on responses that head from the model to backend functions.
- Encode model output back to users.
6. Excessive Agency
When LLMs take action without sufficient human oversight.
LLMs integrated with tools, APIs, or automation flows may make decisions that should require human approval. If models are granted too much autonomy, they may perform actions beyond their intended scope. These include sending emails, deleting files, or making purchases.
Prevention and mitigation:
- Set clear guidelines and constraints on LLM autonomy, ensuring that LLM tools only have access to required functions and, when possible, that such functions are closed-ended in nature.
- Where feasible, require human approval.
7. System Prompt Leakage
When the information that guides a model’s output and/or the instructions guiding its behavior contain sensitive data, the unintended exposure of which could make the model vulnerable to attacks.
AI system prompts or base instructions (e.g., those that specify “you are a helpful assistant”) can contain rules, credentials, or privileged logic. If exposed, attackers may use them to craft prompts that bypass restrictions or trigger unintended responses.
Prevention and mitigation:
- Externalize sensitive information to systems that the model does not directly access.
- Rely on systems outside of the LLM to control model behavior.
- Implement an independent system (that is, outside the LLM) that can inspect the output to determine if the model is in compliance with expectations.
8. Vector and Embedding Weaknesses
When systems using retrieval-augmented generation with LLMs generate, store, or retrieve vectors and embeddings in such a way that bad actors can inject harmful content, manipulate model outputs, or access sensitive information.
These weaknesses arise when attackers poison embedding stores or exploit poorly secured vector databases. They do this to influence what information the model retrieves and uses.
Prevention and mitigation:
- Establish detailed access controls and permission-aware vector and embedding stores.
- Implement robust data validation pipelines for knowledge sources.
- Maintain detailed, immutable logs of retrieval activities to identify suspicious behavior.
9. Misinformation
When LLMs produce false or misleading information that appears credible, often as the result of AI hallucinations.
LLMs can “hallucinate” facts or fabricate citations, making their responses seem trustworthy when they are incorrect. This becomes dangerous when users rely on LLMs for legal, medical, financial, or technical advice without verification.
Prevention and mitigation:
- Use techniques like parameter-efficient tuning (PET) and chain-of-thought prompting.
- Implement rigorous fact-checking for sensitive information.
- Establish secure coding practices to prevent the integration of vulnerabilities that may stem from incorrect code suggestions.
10. Unbounded Consumption
When LLMs are manipulated to process excessive amounts of information, opening them up to unauthorized usage and denial of service (DoS) attacks.
Attackers can abuse LLM endpoints by submitting excessively long or resource-heavy inputs, leading to high compute costs, degraded performance, or total service unavailability. This impacts availability and creates significant operational strain.
Prevention and mitigation:
- Employ measures that prevent inputs from exceeding predetermined size limits.
- Monitor resource allocation closely so that no single user or request can consume excessive computational resources.
- Design the system to maintain partial functionality, even as it degrades due to intolerable computational demand.
Prompt Security’s Vital Role in the Top Ten for LLMs
To achieve a list that is both concise and dependable, OWASP brought the most relevant and forward-thinking voices into the decision-making process. Together with his fellow contributors, Itamar assessed and refined language on various vulnerabilities before determining which language would advance for further consideration.
“The OWASP Top 10 for LLM Apps and GenAI empowers organizations to meet first-rate security standards while keeping pace with Generative AI’s rapid adoption and evolution. I am proud to have supported this project from the beginning and remain committed as it deepens and expands its essential and actionable guidance for navigating the complexities of AI security.” Itamar Golan, CEO & Co-founder of Prompt Security
How Prompt Security Helps
Prompt Security safeguards systems against all of these vulnerabilities and threats, helping make interactions with GenAI applications safe and legitimate. We block prompt injections with minimal latency overhead, prevent chatbot-induced leaks of sensitive data, counter model denial of service attacks by monitoring for abnormal usage, and more. Prompt Security is at the forefront of robust GenAI protection, ensuring your GenAI applications are safe and secure with real-time protection.
