The OWASP Top 10 for Large Language Model Applications is the most widely referenced framework for understanding and testing AI-specific security risks. First released in 2023 as a community-driven effort, OWASP updated the list in late 2024 to reflect real-world incidents, emerging attack techniques, and the rapid growth of agentic AI. The 2025 edition adds two new categories, substantially reworks several others, and reorders existing risks based on community feedback.
For enterprises deploying LLM-powered features โ chatbots, copilots, AI agents, RAG systems, or embedded AI functionality โ understanding and testing against this framework is essential. This guide covers each category and how we test for it.
LLM01: Prompt Injection
Prompt injection holds the number-one position for the second consecutive edition. LLMs process instructions and data in the same channel without clear separation, making them inherently vulnerable to inputs that override or manipulate their intended behaviour.
**Direct prompt injection** involves a user crafting input that overrides the system prompt โ for example, instructing the model to ignore its rules and reveal internal instructions, or to produce harmful output.
**Indirect prompt injection** is more dangerous and harder to detect: malicious instructions are embedded in data the LLM processes โ emails, documents, web pages, database records โ so the attack comes not from the user but from the content the model retrieves and processes.
**How we test:** We systematically probe both direct and indirect injection paths across every data source the LLM touches, including RAG retrieval pipelines, tool inputs, and multi-turn conversation context.
LLM02: Sensitive Information Disclosure
LLMs can inadvertently reveal sensitive information โ system prompts, API keys, internal instructions, personally identifiable information from training data, or confidential business logic embedded in their configuration.
**How we test:** We probe for training data memorisation, system prompt extraction, and context-window exploitation across various conversation patterns and edge cases.
LLM03: Supply Chain
LLM applications depend on complex supply chains: pre-trained models, fine-tuning datasets, embedding models, vector databases, plugins, and third-party APIs. Each is a potential attack vector. Compromised dependencies can introduce backdoors, biased outputs, or security vulnerabilities that are difficult to detect.
**How we test:** We assess the provenance and integrity of model components, evaluate third-party plugin security, and test for supply-chain-specific attack paths.
LLM04: Data and Model Poisoning
The 2025 edition expands the scope of data poisoning beyond training data to include manipulations during fine-tuning and embedding. Attackers can introduce malicious data at multiple stages of the LLM lifecycle to manipulate model behaviour, degrade performance, or create backdoors.
**How we test:** We evaluate fine-tuning pipelines for integrity controls, test embedding models for manipulation resistance, and assess data validation in the training and ingestion pipeline.
LLM05: Improper Output Handling
LLM outputs are often consumed by downstream systems โ databases, APIs, web interfaces, or other applications. If these systems trust LLM output without proper validation, attackers can use the LLM as an injection vector, achieving cross-site scripting, SQL injection, or command injection through crafted model responses.
**How we test:** We trace every output path from the LLM to downstream systems and test whether crafted model outputs can achieve injection in each consumer.
LLM06: Excessive Agency
This is one of the most significantly expanded entries in the 2025 edition. As LLMs gain tool-use capabilities โ calling APIs, querying databases, sending emails, executing code โ the risk of unintended actions grows substantially. OWASP breaks excessive agency into three root causes: excessive functionality (the agent can reach tools beyond its task scope), excessive permissions (those tools operate with broader privileges than necessary), and excessive autonomy (high-impact actions proceed without a human in the loop).
**How we test:** We map every tool and API the LLM can access, test whether it can be manipulated into invoking unintended tools, escalating privileges through tool chains, or executing high-impact actions without proper authorisation gates.
LLM07: System Prompt Leakage (NEW in 2025)
A new category focusing on the exposure of internal system prompts that contain sensitive instructions, credentials, or operational logic. System prompts often contain API keys, passwords, connection strings, internal operational logic, security mechanisms and content filtering rules, and access control configurations.
**How we test:** We systematically attempt to extract system prompts through direct requests, indirect techniques, and conversation-manipulation patterns.
LLM08: Vector and Embedding Weaknesses (NEW in 2025)
Also new, this category addresses the RAG (Retrieval-Augmented Generation) pipeline โ the system that retrieves external knowledge to supplement LLM responses. Attackers can poison vector databases by injecting malicious content that gets retrieved during legitimate queries, exploit insufficient access controls on vector stores to access data across tenant boundaries, or manipulate embedding models to produce misleading similarity results.
**How we test:** We test RAG pipeline integrity, vector database access controls, cross-tenant data isolation, and whether injected content can influence retrieval results.
LLM09: Misinformation
LLMs sound confident even when wrong. They hallucinate facts, invent citations, and present fabricated information with the same fluency as accurate responses. For enterprise applications โ especially those making recommendations, providing medical or legal information, or generating reports โ this is a significant risk.
**How we test:** We evaluate the application's fact-checking mechanisms, hallucination guardrails, and whether users can distinguish model-generated content from verified information.
LLM10: Unbounded Consumption
LLM inference is computationally expensive. Without proper controls, attackers can exploit this through denial-of-service attacks that consume excessive compute resources, manipulate context windows to maximise token consumption, or abuse model APIs through high-volume automated requests.
**How we test:** We test rate limiting, token-consumption controls, context-window handling, and the application's resilience to resource-exhaustion attacks.
Why Expert Testing Matters for AI
Automated security scanning tools were not designed for AI-specific attack surfaces. Prompt injection, guardrail bypass, agency abuse, and RAG pipeline manipulation require human testers who understand both AI systems and offensive security techniques. This is genuinely a new discipline that combines traditional application security expertise with AI-specific knowledge.
How Simuna Infosec Helps
Our AI/LLM VAPT service tests against the complete OWASP Top 10 for LLM Applications 2025 and extends beyond it with proprietary test cases for business-logic abuse, multi-turn manipulation, and indirect prompt injection via untrusted data sources. We test LLM-powered applications (chatbots, copilots, AI agents), RAG systems, AI APIs, and embedded AI features โ both cloud-hosted and self-hosted models. Every engagement includes our dual-round verification model: we test, you remediate, we verify the fixes hold.
*This article references the OWASP Top 10 for LLM Applications 2025 edition. The AI security landscape evolves rapidly; consult the latest OWASP guidance at genai.owasp.org.*