The New 2025 OWASP Top 10 List: What Changed, and What You Need to Know
Senior Content Marketing Manager
The long-awaited 2025 OWASP Top 10 list is in its near-final form* - its “release candidate” or “draft” version was announced Thursday, November 6, 2025, at the Global AppSec Conference by the Open Worldwide Application Security Project (OWASP).
Updated every 4 years or so, the OWASP Top 10 reflects changes to the cybersecurity landscape, highlighting emerging threats. It lists Common Weakness Enumerations (CWEs), or common software and hardware weaknesses. The list serves as a reference standard that provides ranking of and remediation guidance for the top ten most critical application security risks. The goal of OWASP is to help developers and security practitioners better understand and navigate threats.
** We will issue updates to this post if any (unlikely) adjustments are made to the 2025 list**
So what’s on the new (nearly finalized) 2025 OWASP Top 10 List?
Short answer – many of the same CWEs, but two big updates to be aware of. These changes, which we’ll dig into in the next section, point toward the increasing complexity and interconnectedness of software (and the associated risks). Understanding these 2025 updates is essential for all AppSec programs.
A01:2025 - Broken Access Control
OWASP’s Description: Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data, or performing a business function outside the user's limits.
A02:2025 - Security Misconfiguration
OWASP’s Description: Security misconfiguration is when a system, application, or cloud service is set up incorrectly from a security perspective, creating vulnerabilities.
A03:2025 - Software Supply Chain Failures
OWASP’s Description: Software supply chain failures are breakdowns or other compromises in the process of building, distributing, or updating software. They are often caused by vulnerabilities or malicious changes in third-party code, tools, or other dependencies that the system relies on.
A04:2025 - Cryptographic Failures
OWASP’s Description: This weakness focuses on failures related to the lack of cryptography, insufficiently strong cryptography, leaking of cryptographic keys, and related errors.
A05:2025 - Injection
OWASP’s Description: An injection vulnerability is a system flaw that allows an attacker to insert malicious code or commands (such as SQL or shell code) into a program’s input fields, tricking the system into executing the code or commands as if it were part of the system. This can lead to truly dire consequences.
A06:2025 - Insecure Design
OWASP’s Description: Insecure design is a broad category representing different weaknesses, expressed as “missing or ineffective control design.”
A07:2025 - Authentication Failures
OWASP’s Description: When an attacker is able to trick a system into recognizing an invalid or incorrect user as legitimate.
A08:2025 - Software or Data Integrity Failures
OWASP’s Description: Software and data integrity failures relate to code and infrastructure that does not protect against invalid or untrusted code or data being treated as trusted and valid.
A09:2025 - Logging & Alerting Failures
OWASP’s Description: Without logging and monitoring, attacks and breaches cannot be detected, and without alerting, it is very difficult to respond quickly and effectively during a security incident. Insufficient logging, continuous monitoring, detection, and alerting to initiate active responses occur at any time.
A10:2025 - Mishandling of Exceptional Conditions
OWASP’s Description: Mishandling exceptional conditions in software happens when programs fail to prevent, detect, and respond to unusual and unpredictable situations, which leads to crashes, unexpected behavior, and sometimes vulnerabilities. This can involve one or more of the following 3 failings: the application doesn’t prevent an unusual situation from happening, it doesn’t identify the situation as it is happening, and/or it responds poorly or not at all to the situation afterwards.
What changed in the 2025 OWASP Top 10 List?
The 2025 list saw two new categories added to the list: Software Supply Chain Failures and Mishandling of Exceptional Conditions, plus a consolidation where the 2021 A10: Server-Side Request Forgery (SSRF) has been rolled into A01:2025 Broken Access Control.
A02, A03, and A04 from the 2021 edition moved down a few notches but stayed in the same order, indicating that while still common, there are other CWEs that are more pressing in the new 2025 list.
The overarching theme of 2025 changes was a nod to looking at the big picture: instead of focusing efforts on specific flaws, themes emerged around looking at the SDLC as a whole.
NEW A03 - Software Supply Chain Failures
The first, A03 - Software Supply Chain Failures, is an expansion of the 2021 category labeled “Vulnerable and Outdated Components”. The purpose of this expansion was to include the entire software supply chain, not just the limited impacts of components to the supply chain. In 2025, it now comprises everything involved in the “process of building, distributing, or updating software”.
OWASP notes that “supply chain failures continue to be a challenge to identify”. The expansion of this category points to an acknowledgment of the complexity of the software supply chain; anything and everything that touches any part of the development process can negatively impact the outcome - a vast security scope to cover.
NEW A10 - Mishandling of Exceptional Conditions
The second new category, A10 - Mishandling of Exceptional Conditions, refers to the importance of focusing on resilience. OWASP urges that “catching and handling exceptional conditions ensures that the underlying infrastructure of our programs is not left to deal with unpredictable situations”. They advise organizations to “expect the worst” when it comes to catching every possible system error.
This addition is indicative of a need for a cross-team culture shift toward preparing to fail – that is, for orgs to predict when and how things may go wrong (and assume they will). This involves establishing practices and procedures to handle failures gracefully (another way of saying ‘build resilience’). OWASP recommends organizations measure their AppSec programs against standard frameworks to determine levels of maturity and make adjustments where needed.
MERGED: A10:2021 Server-Side Request Forgery into A01:2025 Broken Access Control
In the 2021 list, A10:2021 Server-Side Request Forgery was its own category. In 2025, Server-Side Request Forgery (SSRF) was absorbed into 2025’s Broken Access Control category.
This reflects the perspective that many SSRF issues are fundamentally about improper access control, allowing an attacker to coerce a server into making requests it should not be able to make (for example, to internal services or metadata endpoints). Rather than tracking SSRF separately, OWASP now treats it as a specific manifestation of broken access control.
What does this mean for your security program?
The changes to the Top 10 list highlight the need for a more comprehensive view of security across your software development lifecycle. At the highest level, OWASP recommends establishing and using repeatable security processes and standard security controls across your environments. More specifically, they provided five areas of improvement based on the 2025 list findings.
Establish a risk-based approach
OWASP urges orgs to look at risk from a business perspective - from satisfying regulatory requirements to identifying the needs of the application portfolio, you should establish a level of risk tolerance. From this risk tolerance, the use of a common risk rating model can help provide a structured way to gauge risk.
Build a strong security program foundation
OWASP recommends orgs establish policies and standards that give a baseline for all development and security teams to adhere to.
Integrate security into existing processes
By integrating security into existing development and operational processes, you can maintain development velocity while also taking note of areas for improvement in existing processes and tools.
Prioritize AppSec Education
Security champion programs, or at least general security education, should be mandatory - security is everyone’s responsibility.
Give senior stakeholders visibility
OWASP says orgs should aim to ‘manage with metrics’. This means making decisions based on clear visibility into AppSec program functionality.
You can find a more detailed discussion of OWASP’s recommendations here.
How Fastly can help secure you against the OWASP Top 10
Resolving security risks from the OWASP Top 10 involves a layered security approach and a holistic look at an existing security program. Broadly, organizations should ensure security is considered from coding to infrastructure and third-party components.
Ranking | Category | Fastly's Fix |
|---|---|---|
A01:2025 | Broken Access Control | - Fastly’s Next Gen WAF blocks malicious requests (like directory traversal) before they can reach the origin. |
A02:2025 | Security Misconfiguration | - The Fastly Edge Cloud Platform can also be configured to add security headers such as Content-SecurityPolicy and Strict-Transport-Security. Automatically setting response headers returned to clients from the edge can provide another layer of protection against improperly configured applications or origin servers. |
A03:2025 | Software Supply Chain Failures | - For the rest of your software supply chain, the Next-Gen WAF offers virtual patches for emerging threats and new CVEs. Virtual patches offer temporary relief from new vulnerabilities, blocking attempts to exploit them while the underlying software is patched. - Fastly, as part of your software supply chain, can automatically update to the latest version, ensuring your services are hardened against bugs and other findings |
A04:2025 | Cryptographic Failures | - Fastly Edge Cloud Platform handles TLS termination and acceleration at a global scale with secure defaults (such as TLS 1.3 and removal of weak ciphers) for customers. We can ensure that weak encryption ciphers and protocols are not permitted for requests to sensitive areas of the application or for any application requests. |
A05:2025 | Injection | - Fastly's Next-Gen WAF by default detects injection attacks without the need for additional rules or tuning. - Fastly's Next-Gen WAF utilizes SmartParse, its proprietary detection technology, designed to make instantaneous decisions in line to determine if there are malicious or anomalous payloads present. By evaluating the context of the request and how it would actually execute, SmartParse makes highly accurate decisions. |
A06:2025 | Insecure Design | - Next-Gen WAF allows for custom signals to be created to monitor activity around susceptible routes or flows in an application. For example, if an application is built around a /checkout flow and this is a sensitive application route, you can attach a custom signal to client requests for this part of the application. The custom signal will allow you to monitor activity and create blocking or rate-limiting rules based on the properties of the request in the face of abusive behavior. |
A07:2025 | Authentication Failures | - Next-Gen WAF can be configured to protect against brute force attacks such as credential stuffing by detecting such attacks and blocking the attacker’s login attempts. All failed login attempts are logged, and administrators are immediately alerted when the attacker is detected. - The Next-Gen WAF can detect insecure authentication attempts, such as using JSON web tokens with the None algorithm. |
A08:2025 | Software or Data Integrity Failures | - The Next-Gen WAF inspects all requests for attacks such as injection attacks. |
AO9:2025 | Logging and Alerting Failures | - The Next-Gen WAF monitors all incoming HTTP requests for attacks and anomalies. This includes monitoring and logging all login attempts, successes, and failures. - The Next-Gen WAF sends out real-time event notifications to a list of default webhook integrations in the dashboard. |
A10:2025 | Mishandling of Exceptional Conditions | - Fastly offers automatic DDoS Protection, configurable rate limits, alerts for extraneous conditions where possible, and the creation of sources of truth for your AppSec program via comprehensive dashboards you can quickly gauge whether anything has gone awry. |
If you’re looking at the new OWASP Top 10 and wondering what it really means for your apps, we’re here to help. Get in touch with our team of security experts or contact your Fastly account team.