OWASP Top 10 2025: Everything That Changed and What It Means for Developers
OWASP Top 10 2025: Everything That Changed and What It Means for Developers
TLDR: OWASP released its 2025 Top 10 in November — the first update in four years. They analysed 2.8 million applications, 175,000 CVE records, and surveyed practitioners worldwide. The result: two brand-new categories (Supply Chain Failures and Mishandling of Exceptional Conditions), Security Misconfiguration jumping from #5 to #2, and a fundamental philosophical shift — from cataloguing symptoms to identifying root causes. If your team is still working off the 2021 list, your threat model is already outdated.
The List That Shapes How the World Builds Software
Four years ago, a security team somewhere pinned the OWASP Top 10:2021 to their Confluence wall and said "right, let's test against this." That list has since shaped pen test scopes, compliance frameworks, developer training curricula, and security tooling roadmaps across thousands of organisations.
Then, in November 2025 at the Global AppSec Conference, OWASP quietly dropped the 2025 edition — and a few things shifted significantly.
If you're not familiar with what OWASP is, we covered that in detail here. Short version: it's the most widely referenced standard for web application security risks in the world. When it changes, the industry pays attention.
So let's walk through exactly what changed, why, and what it means for your application in 2026.
The Methodology Shift Nobody Talked About
Before we get to the rankings, the most important change in 2025 isn't a new category. It's a philosophical one.
OWASP deliberately moved from categorising symptoms to categorising root causes.
The 2021 list included things like "Sensitive Data Exposure" — which describes what happens when something goes wrong. The 2025 list reframes these as "Cryptographic Failures" — which describes why it goes wrong. That distinction matters enormously for developers. Fixing a symptom is whack-a-mole. Fixing a root cause is engineering.
The team analysed 589 Common Weakness Enumerations (CWEs) — substantially more than the 2021 edition — selected eight categories from data, and reserved two slots for community-voted risks that data alone doesn't yet capture. The result is a list that reflects both what's happening now and what practitioners on the ground are worried is coming.
What's New: The Two Brand-New Categories
A03: Software Supply Chain Failures
This is the one that should concern every CTO. It expands the 2021 category "Vulnerable and Outdated Components" to encompass the entire software supply chain — dependencies, build systems, and distribution infrastructure. Despite having the fewest occurrences in testing data, it carries the highest average exploit and impact scores from CVEs.
The reason: supply chain attacks don't look like bugs. They look like legitimate updates from trusted sources. The SolarWinds attack. The XZ Utils backdoor. The compromised event-stream npm package. These weren't vulnerabilities in your code — they were trust failures in your pipeline.
50% of survey respondents ranked Supply Chain Failures as their top concern — the highest consensus across any single category. The community sees where the next wave of attacks is coming from. This category is their answer.
A10: Mishandling of Exceptional Conditions
The second new entry is subtler but just as important. It focuses on how systems behave under abnormal conditions: exceptions, unexpected inputs, and fail-open logic. Attackers increasingly exploit edge cases and exception paths — code paths that were never covered well in design or testing.
The classic example: an error in an authentication flow that, instead of denying access, throws an unhandled exception and defaults to granting access. The code was never written to be malicious. It just wasn't written to fail safely.
The Reshuffling: What Went Up, What Got Absorbed
The full 2025 list looks like this:
| # | 2025 Category | 2021 Position |
|---|---|---|
| A01 | Broken Access Control | #1 (unchanged) |
| A02 | Security Misconfiguration | #5 → jumped to #2 |
| A03 | Software Supply Chain Failures | New |
| A04 | Cryptographic Failures | #2 → #4 |
| A05 | Injection | #3 → #5 |
| A06 | Insecure Design | #4 → #6 |
| A07 | Authentication Failures | #7 (unchanged) |
| A08 | Data Integrity Failures | #8 (unchanged) |
| A09 | Security Logging & Alerting Failures | #9 (unchanged) |
| A10 | Mishandling of Exceptional Conditions | New |
Notable: SSRF (Server-Side Request Forgery), which was A10 in 2021, has been consolidated into A01: Broken Access Control — reflecting the significant overlap between SSRF exploits and access control failures.
The biggest jump is Security Misconfiguration, from #5 to #2. It now affects virtually every tested application, with over 719,000 mapped CWEs. As software becomes more configurable — containers, cloud, IaC, feature flags — misconfiguration has quietly become the most pervasive risk in modern stacks.
The Top 5 in Plain English
A01 — Broken Access Control: Still number one, still the most common finding in every pen test we run. This is when a user can do something they shouldn't — view another user's data, access an admin page, modify a record they don't own. The IDOR vulnerabilities we wrote about in this post live here. So does SSRF now.
A02 — Security Misconfiguration: Your S3 bucket is public. Your debug endpoint is live in production. Your container is running as root. None of these required a single line of bad code — just a bad configuration decision, often made once and never revisited. We covered this in detail for cloud environments here.
A03 — Software Supply Chain Failures: The npm package you installed in 2023 just received a malicious update. Your build pipeline pulls from an unverified registry. A transitive dependency — three layers deep, one you've never heard of — has a critical CVE. You shipped it last Tuesday.
A04 — Cryptographic Failures: You're storing passwords with MD5. Your TLS certificate is using a deprecated cipher suite. You're transmitting sensitive data over HTTP in an internal service because "it's internal." These are the failures that turn a minor breach into a catastrophic one.
A05 — Injection: SQL injection. Command injection. XSS. These dropped from #3 to #5 not because they're less dangerous, but because tooling has gotten better at catching them. They're still everywhere — especially in APIs — but the industry has made real progress on the basics.
The Takeaway for Your Team
Here's the uncomfortable truth: if your last security review, pen test, or threat model was based on the 2021 list, two entirely new risk categories weren't on the table. Your supply chain wasn't assessed. Your exception handling wasn't challenged. Your misconfiguration risk — now the second-highest category in the world — may have been treated as a footnote.
That's not a criticism. It's just what happens when the threat landscape moves and the assessment framework hasn't caught up yet.
The 2025 update is telling you exactly where attackers are looking right now. The question is whether you look there first.
Have you started updating your security practices to OWASP 2025? Drop a comment — we're curious how many teams are still working off the 2021 list heading into mid-2026.
How Kuboid Secure Layer Can Help
Our web application penetration tests are fully mapped to OWASP Top 10:2025 — including the two new categories. We test your supply chain exposure, your exception handling edge cases, your access control logic, and everything in between.
If you haven't had your application reviewed since 2021, now is the right time. Book a free consultation here and we'll tell you honestly where you stand.
Kuboid Secure Layer provides web application penetration testing and security assessments for growing businesses. Learn more at kuboid.in/services.
