OWASP Top 10 2025: Supply Chain Rises to #3 as Configuration & Design Dominate

OWASP has updated its list of the most critical risks for web applications, introducing two new categories and revising the structure of its ranking. The organization has published a draft of the 2025 edition, open for public comment until 20 November. This document represents an almost finalized version of the flagship OWASP Top 10, capturing the threats most relevant to developers and administrators of modern web systems.

As in the previous edition, Broken Access Control remains in first place. The category has been expanded to encompass SSRF vulnerabilities, which previously held the tenth position. In second place is Security Misconfiguration, rising from fifth in the 2021 ranking. Third place is now occupied by Software Supply Chain Failures — an extended version of the former “Vulnerable and Outdated Components,” incorporating failures and compromises within dependency ecosystems, build pipelines, and distribution infrastructure. According to OWASP, these risks ranked among the community’s top concerns during the survey phase.

Next follow Cryptographic Failures, Injection (which includes XSS and SQL injection), and Insecure Design — all three categories descending by two positions to fourth, fifth, and sixth place respectively. Authentication Failures, Software or Data Integrity Failures, and Logging & Alerting Failures retain their previous rankings — seventh through ninth.

A new addition rounds out the list: Mishandling of Exceptional Conditions, which includes flaws in exception handling, improper responses to anomalies, and logical failures that emerge under non-standard operating conditions.

OWASP representatives noted that the 2025 structure differs significantly from that of 2021. This time, analysis considered the number of applications tested over the year and the number of systems in which at least one instance of a given CWE (Common Weakness Enumeration) was identified. This method captures the prevalence of vulnerabilities across the full spectrum of tested products, without being distorted by repeated occurrences of the same flaw in a single application. A total of 589 CWEs were analyzed — compared with just 30 in 2017 and about 400 in 2021.

For exploitability and technical impact assessments, OWASP relied on CVE data, grouping vulnerabilities by CWE and calculating average CVSS scores. Due to the limitations of automated testing, only eight categories were selected based on empirical data; the remaining two were chosen through community surveys in which experts highlighted the risks they consider most critical in practice.

Thus, OWASP Top 10 — 2025 reflects a clear shift in the community’s focus: away from classic implementation bugs and toward issues of configuration, architecture, and software supply chains — the increasingly common root causes of modern web-application compromises.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy