MAY NOT BE REPRODUCED WITHOUT PERMISSION
As generative AI and large language are embedded into a greater number of internal processes and customer-facing applications, the risks associated with LLMs are growing. The OWASP Top 10 list for LLM applications for 2025 details these risks based on real-world usage as a cautionary note for leaders in tech, cybersecurity, privacy, and compliance.
“Organizations are entering uncharted territory in securing and overseeing GenAI solutions. The rapid advancement of GenAI also opens doors for adversaries to enhance their attack strategies, a dual challenge of defense and threat escalation.” — OWASP
Attacks or manipulation of AI models are particularly nefarious because they are often hidden from end users, but can significantly impact outputs. When these risks are introduced by users, outputs are skewed and can be used for deliberate misinformation or other malicious activities.
The 2025 OWASP Top 10 for Large Language Models
Let’s break down each of the top 10 risks with examples and strategies for prevention and mitigation.
1. Prompt Injection
Prompt Injection occurs when user inputs alter an LLM’s behavior or output in unintended ways. This might involve bypassing safety measures, unauthorized access, or manipulation of decisions.
Examples
- Injecting prompts into a chatbot to access private data
- Using hidden instructions in web content to influence outputs
- Modifying documents in repositories to manipulate Retrieval-Augmented Generation (RAG)
- Using different languages in instructions to evade detection
Prevention and Mitigation Strategies
- Integrate data sanitization to prevent user data from entering models.
- Implement filtering for sensitive content on both inputs and outputs.
- Apply least privilege access controls for model operations.
- Limit access to external data sources.
- Incorporate differential privacy to add noise to data or outputs.
Advanced techniques include the use of homomorphic encryption and tokenization to preprocess and sanitize any sensitive information.
2. Sensitive Information Disclosure
Sensitive Information Disclosure happens when a model unintentionally reveals private or confidential data through responses. This often includes information that is contained in training data and disclosed by specific user queries.
Examples
- Leaking API keys or user credentials
- Disclosing proprietary business strategies inappropriately
- Sharing personal user data when answering queries
- Revealing sensitive system details or prompts
Prevention and Mitigation Strategies
- Scrub training data to remove sensitive details.
- Enforce content filtering for sensitive output categories.
- Eliminate outdated or vulnerable components.
- Employ robust access controls to protect sensitive data from exposure.
- Audit responses to identify and prevent leaks.
- Implement response anonymization techniques.
3. Supply Chain Vulnerabilities
Supply Chain Vulnerabilities introduce risks when third-party components or dependencies are used. This can include malicious or unverified data, libraries, or models. It may simply be bad data or data crafted for malicious intent.
Examples
- Integrating an LLM library with hidden backdoors
- Using compromised third-party APIs for additional functionalities
- Employing pre-trained models poisoned with manipulated data
- Deploying updates from untrusted sources
Prevention and Mitigation Strategies
- Deploy strict data governance frameworks.
- Validate all third-party libraries and datasets.
- Limit data sources to vetted suppliers.
- Implement runtime monitoring to detect suspicious behaviors.
- Conduct regular security reviews of supply chain dependencies.
4. Data and Model Poisoning
In Data and Model Poisoning threats, attackers deliberately manipulate the training data to influence LLM behavior or introduce new vulnerabilities.
Examples
- Embedding harmful instructions in data to alter outputs
- Modifying fine-tuning datasets to introduce bias
- Creating backdoors to enable specific responses to prompts
- Poisoning datasets to reduce model accuracy
Prevention and Mitigation Strategies
- Vet and secure data sources during training and fine-tuning.
- Use anomaly detection to identify unusual patterns in data.
- Employ differential privacy to minimize the impact of single data points.
- Regularly test models against poisoning attempts.
- Isolate and validate all updates before deployment.
5. Improper Output Handling
When outputs are not validated, filtered, or restricted, you can get Improper Output Handling. This can generate harmful content and introduce additional security risks.
Examples
- Generating biased or harmful language in responses
- Producing content that leaks private information
- Returning code that executes unintended operations
- Providing inaccurate or misleading outputs
Prevention and Mitigation Strategies
- Adopt a zero-trust approach and apply proper input validation.
- Apply filters to block harmful or restricted content.
- Require source citations for factual responses to ensure reliability.
- Test outputs under diverse scenarios to identify vulnerabilities.
6. Excessive Agency
Excessive Agency refers to situations where LLMs are granted too much autonomy, enabling them to perform high-risk actions such as executing commands or accessing sensitive systems without adequate safeguards.
Examples
- Allowing LLMs to execute API calls without monitoring
- Automating high-stakes decisions like financial transactions or health information
- Enabling unrestricted file system access
- Permitting unsupervised plugin interactions in complex applications
Prevention and Mitigation Strategies
- Limit LLM access to essential operations.
- Implement human-in-the-loop oversight for critical tasks.
- Use granular privilege controls to restrict capabilities.
- Log and monitor LLM actions for accountability.
- Design fail-safe mechanisms to intervene if unauthorized actions are detected.
7. System Prompt Leakage
System Prompt Leakage occurs when confidential or internal prompts embedded in LLM systems are revealed to users or attackers, exposing sensitive instructions or system configurations.
Examples
- Revealing hidden system prompts
- Exposing API keys or database connections within system prompts
- Uncovering filtering criteria, permission and user roles, and other internal rules
Prevention and Mitigation Strategies
- Design system prompts to prevent disclosure of sensitive or confidential data.
- Isolate system instructions from input layers.
- Employ input/output guardrails to detect and block leaks.
- Ensure security controls are enforced independently from the LLM.
8. Vector and Embedding Weaknesses
With Vector and Embedding Weaknesses, attackers exploit vector representations or embedding systems used in applications to manipulate model behavior or data integrity.
Examples
- Unauthorized access to embeddings containing sensitive information
- Spoiling embeddings to degrade search accuracy or results
- Exploiting proximity-based flaws in vector similarity calculations
- Introducing malicious content into shared embedding spaces
Prevention and Mitigation Strategies
- Validate and sanitize inputs before generating embeddings.
- Regularly monitor vector spaces for anomalies.
- Apply noise-tolerant algorithms to enhance defenses against adversarial attacks.
- Implement strict permission and access controls for embedding systems.
9. Misinformation
Misinformation arises when LLMs generate incorrect, misleading, or biased outputs. This can spread misleading information that appears credible, leading to security breaches, damage to reputation, and legal liabilities.
Examples
- Generating false medical advice in a healthcare chatbot
- Producing biased content in response to sensitive queries
- Misrepresenting facts or spreading conspiracy theories
- Generating unsafe code or introducing insecure code libraries
Prevention and Mitigation Strategies
- Train models with diverse, verified, and up-to-date datasets.
- Require source citations and validation for factual outputs.
- Regularly audit outputs for accuracy and bias.
- Employ post-processing filters to flag or correct incorrect content.
- Use human oversight for use cases requiring high accuracy.
10. Unbounded Consumption
Unbounded Consumption refers to scenarios where LLMs are exploited to consume excessive resources, leading to denial of service, increased costs, or degraded system performance.
Examples
- Generating excessively long outputs in response to user prompts
- Processing extremely large inputs that overload systems
- Handling infinite loops in query chains that drain resources
- Allowing unrestricted API calls — leading to billing surges
Prevention and Mitigation Strategies
- Impose strict limits on input size, output length, and processing time.
- Use rate-limiting for API calls and resource allocation.
- Implement timeouts and monitoring to terminate excessive operations.
- Validate inputs to detect and reject resource-intensive requests.

Download the Cybersecurity and Governance Checklist
For further guidance, you can download OWASP’s LLM AI Cybersecurity and Governance Checklist for developers and AI leaders in pursuit of responsible and trustworthy AI solutions.