Skip to main content

OWASP Top 10 for LLMs

ScopeLLM application vulnerabilities
Use ForVulnerability taxonomy, reporting
Linkowasp.org

The OWASP Top 10 for Large Language Model Applications is the industry-standard taxonomy for LLM-specific vulnerabilities. It provides a ranked list of the most critical security risks facing LLM-powered applications, drawing from real-world incidents, academic research, and practitioner experience. For AI red teamers, it serves as both a checklist for assessment coverage and a common language for reporting findings to stakeholders who may already be familiar with the traditional OWASP Top 10 for web applications. The framework is updated regularly as the threat landscape evolves, with the 2025 revision reflecting the rapid expansion of LLM attack surface into agentic workflows, RAG pipelines, and multi-model architectures. It complements MITRE ATLAS by focusing on application-layer vulnerabilities rather than adversarial ML research techniques.

Key Components

  • LLM01: Prompt Injection covers both direct and indirect injection, the foundational vulnerability class where untrusted input is processed as instructions by the model.
  • LLM02: Sensitive Information Disclosure addresses the risk of models leaking training data, system prompts, PII, or proprietary information through their outputs.
  • LLM03: Training Data Poisoning covers attacks that corrupt the model's training or fine-tuning data to manipulate its behavior, including backdoor implantation.
  • LLM05: Supply Chain Vulnerabilities highlights risks from third-party models, plugins, datasets, and ML infrastructure components that introduce untrusted code or data.
  • LLM07: System Prompt Leakage (added in v2.0) specifically addresses the extraction of hidden system instructions that reveal application logic, guardrails, and sensitive configuration.