A walkthrough of the 2025 OWASP Top 10 for Large Language Model applications, the most common security threats teams hit when they put LLMs into production, plus the defenses for each.
- Video: Explained: The OWASP Top 10 for Large Language Model Applications (IBM Technology, ~25 min)
- OWASP guide: OWASP Top 10 for LLM Applications | 2025 list (genai.owasp.org)
Each section links to its timestamp in the video and to the matching entry in the official OWASP 2025 guide. Rank movements are versus the 2023 list.
One clever prompt, one exposed training file, or one sketchy plugin can turn a helpful assistant into a security incident. OWASP (the community behind the classic Top 10 for web apps) first published an LLM Top 10 in 2023; this is the updated list reflecting what we have learned since.
Crafted input steers the model into doing something it shouldn't, because LLMs don't reliably separate instructions from input. Direct injection is when the attacker types the malicious command; indirect injection hides it in content the model is asked to process (e.g. an article it summarizes). Results range from data leaks to unsafe instructions to arbitrary command execution, and creative phrasing (a poem, Morse code) can slip past prose-based guardrails. Defenses: harden the system prompt, put an AI firewall/gateway in front to inspect inputs and outputs, and penetration-test with injection attempts.
The model leaks PII, health data, financials, or proprietary IP it was trained on. Attackers can also query repeatedly to reconstruct the model itself (a model inversion / extraction attack). Defenses: sanitize and filter what goes into training, use an AI gateway to redact sensitive outputs, apply strong access controls on the model, the data and the users, and close misconfigurations (AI security posture management).
The stack (data, model, application, and the infrastructure underneath) is full of components you didn't build. Most teams pull models from open sources like Hugging Face (2M+ models, many over a billion parameters), far too large to inspect manually, so you ingest unverified components and hope for the best. Defenses: vet data and suppliers, track provenance (a chain of custody), scan and red-team models for vulnerabilities, and patch/keep software current.
Tampered training or RAG data injects error, bias, or even model-borne malware that ripples into the model's accuracy. A little "toxin in the drinking water" spreads. Retrieval-augmented generation (RAG) cuts hallucinations by grounding answers in a supplied document, but a poisoned RAG source reintroduces the problem. Defenses: know your sources, apply access controls over the model, training data and RAG data, and enforce change control on the system.
When the model's output flows into another system (code, a browser, a database query), unchecked output can introduce cross-site scripting, SQL injection, or remote code execution downstream. Defense: validate and sanitize outputs rather than blindly trusting whatever the LLM emits.
Giving the model too much power (tools, APIs, plugins, control over real-world systems) means a hijack, or even a hallucination, can cause real damage, including to health and safety. Defense: limit the model's permissions and autonomy to the minimum it needs.
If the system prompt holds secrets (credentials, API keys for apps the model logs into) and there's no guard, a cleverly phrased question can pull them out. Defense: keep sensitive data out of the system prompt and guard against leakage.
A manipulated RAG document can bleed into and persist in the LLM instead of just "washing over" it, making the system unreliable. Defense: ensure retrieved content informs the answer without permanently altering the model.
Output can be false through manipulation or hallucination. Defense: apply critical thinking, cross-reference answers against other sources, and don't base decisions on shaky ground.
Too many requests, long-running ones, or compute-heavy ones can take the system down (denial of service) or run up the bill (denial of wallet). Defense: rate-limit and manage resource consumption.
That's the OWASP Top 10 for LLMs. The attackers already know these; the guidance exists so defenders do too. See the OWASP guide for full detail on each risk.