OWASP Top 10 2025: What's New

The 2025 edition of the OWASP Top 10 has been released, providing an updated industry standard for identifying major risks in application security and reflecting the evolving landscape of software security that now encompasses the entire software development lifecycle. This edition introduces two new categories: Software Supply Chain Failures, which expands on the previous "Vulnerable and Outdated Components" to cover the full supply chain, and Mishandling of Exceptional Conditions, highlighting issues such as poor error handling and unpredictable system crashes. Additionally, Server-Side Request Forgery (SSRF) has been integrated into Broken Access Control, emphasizing its fundamental nature as an access control issue. The OWASP Foundation, in collaboration with security experts and practitioners, has compiled this list by analyzing extensive data from numerous applications, aiming to guide organizations in improving their application security practices. In line with these updates, over 4,000 Semgrep rules have been revised to align with the new OWASP Top 10 categories, allowing users to better map identified vulnerabilities to OWASP's risk categories.