Introduction
The OWASP Top 10 is one of the most trusted resources for anyone working in web security. It highlights the most critical security risks that developers, security engineers, and testers should be aware of.
In this post, we’ll look at the latest OWASP Top 10 for 2025, what changes have been made compared to previous versions, and which new categories have been added.
So, let’s jump straight into the topic and explore what’s new in the OWASP Top 10 2025!
What’s actually changed in 2025?
Before we get into the details, here’s the quick overview: the 2025 edition introduces two brand-new categories and merges one existing vulnerability into another. Also some changes are there in ranking of exisitng categories.
Here’s the full list, will try to break down the changes in simple terms:
- Broken Access Control (Still #1)
- Security Misconfiguration (Jumped from #5 to #2)
- Software Supply Chain Failures (New expanded category)
- Cryptographic Failures (Dropped from #2 to #4)
- Injection (Dropped from #3 to #5)
- Insecure Design (Dropped from #4 to #6)
- Authentication Failures (Stayed at #7)
- Software or Data Integrity Failures (Stayed at #8)
- Logging & Alerting Failures (Stayed at #9)
- Mishandling of Exceptional Conditions (Brand new for 2025)
