The OWASP Top 10:2025 is the first major revision of the list since 2021. It analyzes 589 Common Weakness Enumerations (a substantially larger sample than the 2021 edition's data set), introduces two new categories, retires one, and reshuffles the ranking in ways that reflect how application security risk has shifted over the last four years. For engineering teams, the practical work is not just "train on the new list." It's updating code review priorities, tooling, and onboarding documentation to match the 2025 risk profile.
This guide walks through every change category-by-category, cites the primary sources, and outlines the concrete work the changes imply.
TL;DR
- Two new categories: A03 Software Supply Chain Failures and A10 Mishandling of Exceptional Conditions.
- One category retired: 2021's A10 Server-Side Request Forgery (SSRF) has been consolidated into A01 Broken Access Control.
- Biggest ranking move: A02 Security Misconfiguration jumped from #5 (2021) to #2 (2025).
- Renames to note: A07 is now "Authentication Failures" (was "Identification and Authentication Failures"), A09 is now "Security Logging and Alerting Failures" (was "Monitoring").
- Methodology expanded: the 2025 edition analyzes 589 CWEs, a substantially larger sample than the 2021 edition worked from.
- Most practical immediate work for engineering teams: add supply chain and exceptional-condition coverage to code review and training, introduce an SBOM if you don't have one, and recheck your error-handling conventions.
The 2021 to 2025 mapping at a glance
| Position | 2021 title | 2025 title | Change |
|---|---|---|---|
| A01 | Broken Access Control | Broken Access Control | Same position. SSRF consolidated in. |
| A02 | Cryptographic Failures | Security Misconfiguration | Security Misconfig promoted from #5. |
| A03 | Injection | Software Supply Chain Failures | Net new category. |
| A04 | Insecure Design | Cryptographic Failures | Cryptographic Failures demoted from #2. |
| A05 | Security Misconfiguration | Injection | Injection demoted from #3. |
| A06 | Vulnerable and Outdated Components | Insecure Design | Insecure Design demoted from #4. |
| A07 | Identification and Authentication Failures | Authentication Failures | Same position, renamed and scoped. |
| A08 | Software and Data Integrity Failures | Software or Data Integrity Failures | Same position, minor rename. |
| A09 | Security Logging and Monitoring Failures | Security Logging and Alerting Failures | "Monitoring" replaced with "Alerting". |
| A10 | Server-Side Request Forgery (SSRF) | Mishandling of Exceptional Conditions | SSRF retired, new category added. |
The two net-new categories
A03:2025 Software Supply Chain Failures
In 2021, A06 was "Vulnerable and Outdated Components," and it focused tightly on software components with known CVEs. The 2025 edition rebrands and substantially broadens the category into Software Supply Chain Failures, acknowledging that risk extends beyond "which version of log4j you pinned" to the integrity of the acquisition, build, and distribution processes themselves. Typosquatting, dependency confusion, compromised build servers, and malicious transitive dependencies all fall inside this category.
The reframing matters because tooling and training aimed at the 2021 version (dependency scanning, license checks) cover only part of the 2025 risk. Supply chain failures require software bills of materials (SBOMs), signature verification of artifacts, explicit registry scoping, and awareness of attacks that exploit the trust relationships between packages rather than vulnerabilities inside them. Supply-chain attacks have dominated security headlines since 2022, and the 2025 ranking reflects that.
A10:2025 Mishandling of Exceptional Conditions
Mishandling of Exceptional Conditions is a genuinely new category that replaces SSRF in the #10 slot. It covers failures to prevent, detect, and respond to unusual and unpredictable situations: uncaught exceptions that reveal stack traces, race conditions that allow double-withdrawal, TOCTOU (time-of-check to time-of-use) bugs, failed assertions that fail open, and off-nominal states that the application enters without handling.
This category pulls together weaknesses that were previously scattered across the CWE catalog without a clean home in the Top 10. Adding it formalizes a real class of bug that application security programs have long treated as "miscellaneous defects." The practical effect for engineering teams is that error-handling and exception policy now deserve a dedicated checklist in code review, not just a coding convention.
The retired category
SSRF rolled into Broken Access Control
2021's A10 Server-Side Request Forgery (SSRF) has been consolidated into A01:2025 Broken Access Control. The rationale is that SSRF is fundamentally an access control failure: the server makes a request on behalf of a user to a resource the user should not be able to reach. Framing it as its own category obscured the root cause. In the 2025 edition, SSRF is now a sub-pattern of access control, alongside insecure direct object reference (IDOR), path traversal, and privilege escalation.
Teams do not need to stop training on SSRF specifically. It just lives under a different label now.
The biggest ranking shifts
Security Misconfiguration: #5 to #2
Security Misconfiguration is the most consequential ranking move in the 2025 edition. It jumped three slots from #5 to #2, reflecting how much of the real-world breach data over the last four years has traced back to default credentials, overly permissive cloud IAM policies, public S3 buckets, exposed admin interfaces, and production systems running debug configurations. The category now also absorbs elements of what was separately tracked as "hardening failures."
For engineering teams, this is a signal to prioritize infrastructure-as-code review as heavily as application code review, and to add misconfiguration scanning (cloud posture, container image hardening, web server defaults) into CI pipelines if it is not already there.
Cryptographic Failures: #2 to #4
Cryptographic Failures dropped from A02 to A04. The category still matters, but the combination of TLS being nearly universal, modern frameworks picking safe defaults, and HSTS adoption has reduced the rate at which cryptographic failures show up in real-world vulnerability disclosures.
Injection: #3 to #5
Injection slipped from A03 to A05. Parameterized queries, ORM adoption, and framework-level escaping have genuinely reduced the prevalence of classic injection bugs. It is not a solved category (prompt injection into LLMs is the new frontier), but traditional SQL injection and its siblings are less commonly exploited than they were four years ago.
Insecure Design: #4 to #6
Insecure Design dropped from A04 to A06, largely because design-level security thinking has diffused into normal engineering practice (threat modeling, architecture review checklists). The category remains important for greenfield systems; it just no longer sits near the top of the active exploitation risk list.
The renames
Three categories kept their approximate position but were renamed to be more precise:
- A07: "Identification and Authentication Failures" became Authentication Failures. The identification portion was folded in as implicit; the simpler name covers the same ground.
- A08: "Software and Data Integrity Failures" became Software or Data Integrity Failures. Minor rewording that acknowledges the two classes of failure are independent.
- A09: "Security Logging and Monitoring Failures" became Security Logging and Alerting Failures. "Monitoring" was replaced with "Alerting" to emphasize that undetected events are the real failure mode, not the absence of metrics dashboards.
Methodology note
The 2025 edition analyzed 589 Common Weakness Enumerations, a significantly larger sample than the 2021 edition. The data draws from application security test reports contributed by organizations worldwide, augmented by a survey of security practitioners to capture categories that may not yet be well-represented in scan output but are rising in real-world exploitation. The larger CWE sample increases statistical confidence in both the ranking and the category boundaries.
What it means for your engineering team
A few concrete updates engineering leaders should make after adopting the 2025 edition:
- Update training. Any security awareness curriculum written against the 2021 Top 10 is missing both A03 Supply Chain and A10 Exceptional Conditions. Adding these two modules to onboarding and annual refreshers is the highest-leverage change. Our OWASP Top 10:2025 course is built on the 2025 edition natively.
- Expand dependency scanning into supply chain scanning. Add SBOM generation (CycloneDX or SPDX), dependency signature verification, and awareness of dependency confusion and typosquatting to your tooling. Traditional SCA is necessary but no longer sufficient.
- Add an exceptional-conditions checklist to code review. Uncaught exceptions, race conditions, TOCTOU bugs, and error-handling policy are now a named risk. Reviewers should check them explicitly.
- Prioritize misconfiguration scanning in cloud and container pipelines. The #2 ranking for Security Misconfiguration reflects where real breaches are coming from; tooling should match that priority.
- Rename SSRF awareness into access-control awareness. It is the same set of defensive practices; just framed under a broader umbrella.
- Revisit logging policy with an alerting lens. If your logs exist but nothing is watching them in close-to-real-time, the 2025 rename is pointing directly at your gap.
Why we stay current (and why many training providers don't)
A lot of compliance training is still built on the 2021 Top 10, sometimes quietly, sometimes because the vendor has not prioritized the refresh. The gap is not just a category or two. It's that the threat landscape itself has become more emergent: supply chain attacks, AI-accelerated reconnaissance and exploit development, and LLM-specific injection vectors are all realities today that the 2021 content was written before.
The 2025 edition is excellent, and we built our OWASP course on it. But we also assume that by 2027 or 2028 some of what feels settled today will have shifted again. Staying current is not a one-time curriculum swap; it's a discipline. We plan to refresh our content between OWASP releases when real attack patterns change, not only on the four-year cycle. Training built against a frozen snapshot, however good, ages out faster than the standards body ships revisions.
The shorter version: the 2025 content is pretty great, but tech changes daily, and developer security training has to stay vigilant with it.
Further reading
Primary sources for anyone building training, policy, or tooling around the 2025 edition:
- OWASP Top 10:2025 (official): the authoritative list, with methodology notes and per-category deep dives.
- OWASP Top 10 2021 (archived): the previous edition, useful for diffing against the 2025 version.
- MITRE Common Weakness Enumeration (CWE): the underlying catalog the Top 10 draws from.
- OWASP Software Bill of Materials (SBOM) project: practical resources for satisfying A03.
- OWASP Proactive Controls: defensive patterns mapped to each Top 10 category.
FAQ
When was the 2025 edition of the OWASP Top 10 released?
The 2025 edition superseded the 2021 edition as the current authoritative version. OWASP releases a major revision roughly every four years, informed by fresh CWE scan data and a practitioner survey.
Which categories are brand new in the 2025 list?
Two categories are new at the Top 10 level: A03 Software Supply Chain Failures and A10 Mishandling of Exceptional Conditions. A03 expands and rebrands the 2021 "Vulnerable and Outdated Components" category; A10 is a fresh addition that replaces SSRF in the bottom slot.
What happened to SSRF?
Server-Side Request Forgery was retired as its own category in 2025 and folded into A01 Broken Access Control. The rationale is that SSRF is fundamentally an access-control failure at root cause. The defensive practices (allowlist outbound destinations, restrict cloud metadata access, validate URL schemes) remain unchanged.
Do I need to update my SOC 2 training if I'm already using the 2021 OWASP Top 10?
Yes, if you want your training to be credible in 2026 and beyond. The 2025 edition is now the current industry reference. Auditors will not necessarily fail a SOC 2 audit over 2021 content on its own, but compliance-adjacent vendors and customers will increasingly expect 2025 alignment. Updating early is cheaper than updating under audit pressure.
Why did Security Misconfiguration jump three places?
Real-world breach data over 2021 to 2025 disproportionately traced back to misconfigurations: public cloud storage, permissive IAM policies, default credentials, and exposed admin interfaces. The ranking reflects observed exploitation rates, so the move reflects the data rather than a subjective reassessment.
Is Injection no longer a priority?
Injection remains dangerous. It dropped from A03 to A05 because widespread adoption of parameterized queries and ORMs has reduced the prevalence of classic SQL and command injection, not because the category is solved. Prompt injection into LLMs is a newer frontier that is not yet its own Top 10 category but shares the family tree.
How is the 2025 ranking determined?
The Top 10 Project Team aggregates CWE data from industry contributors and augments it with a practitioner survey to capture rising categories that may not yet be well-represented in automated scan output. The 2025 edition analyzed 589 CWEs, a significantly larger sample than the 2021 edition. The full methodology is documented on the OWASP Top 10:2025 introduction page.
Should I retrain my whole team or just update the curriculum going forward?
For teams with active SOC 2 or ISO 27001 programs, a short refresher module covering the 2025 additions (A03 Software Supply Chain Failures and A10 Mishandling of Exceptional Conditions) is usually enough for existing staff. New hires should onboard directly on the 2025 curriculum. Some teams tie the refresher to the annual training-credit renewal cycle so it happens automatically.