OWASP LLM Top 10 for 2025: What changed and why it matters
OWASP LLM Top 10 2025 adds System Prompt Leakage, Vector Weaknesses, and Unbounded Consumption. What changed and what enterprises must do now.
The OWASP Top 10 for Large Language Model Applications received its first major revision in November 2024, moving from the 2023 v1.1 release to a comprehensive 2025 edition. For any organization deploying LLMs, customer-facing chatbots, internal AI assistants, or autonomous agents, these changes are not academic. They map directly to the vulnerabilities your models face in production.
Three entirely new entries
System Prompt Leakage (LLM07:2025)
This entry was long overdue. Multiple high-profile incidents showed that system prompts, once assumed safely hidden, could be extracted through creative user interactions. The OWASP team’s position is clear: the system prompt should not be considered a secret, nor should it be used as a security control.
What this means practically: if your system prompt contains API keys, database credentials, role definitions, or business logic rules, you have a vulnerability. These should be externalized to systems the model does not access directly.
Vector and Embedding Weaknesses (LLM08:2025)
RAG has become the default architecture for grounding LLM outputs. But the security implications of vector databases and embeddings have not kept pace. This new entry addresses data poisoning through RAG, cross-context leakage in multi-tenant environments, and embedding inversion that lets attackers reconstruct source data.
If your organization uses RAG, and in 2026 most enterprise LLM applications do, this entry demands immediate attention.
Unbounded Consumption (LLM10:2025)
What was previously “Denial of Service” has been expanded into a broader risk category covering resource abuse, Denial of Wallet attacks, and model theft through API extraction. The cost implications are real: a targeted Denial of Wallet attack against a cloud-hosted LLM can generate tens of thousands of dollars in compute charges in hours.
What this means for your security program
If you are deploying LLMs in production, three things should happen immediately:
- Audit your system prompts. Remove credentials, connection strings, and business logic. Assume the prompt will be extracted.
- Secure your RAG pipeline. Implement access controls on your vector database. Validate and sanitize all documents before ingestion.
- Run continuous red teaming. The 2025 list makes clear that point-in-time assessments are not sufficient.
AgenticAssure maps every finding to the OWASP LLM Top 10 (10/10 categories), NIST AI RMF, MITRE ATLAS, MAS MindForge, and AI Verify, producing the compliance evidence your board and regulators need.