Reverse crosswalk
OWASP Top 10 for LLM Applications 2025
10 entries, 10 mapped to canonical risks. Each entry below is shown with the canonical risk it maps to, or the reason it sits outside the register.
| Framework entry | Description | Disposition | Register mapping | Confidence | Note |
|---|---|---|---|---|---|
LLM01:2025 Prompt Injection | A Prompt Injection Vulnerability occurs when user prompts alter the LLM's behavior or output in unintended ways. These inputs can affect the model even if they are imperceptible to humans. | Mapped | Clear | Prompt injection maps directly to MR-010 and its direct and indirect injection sub-risks. | |
LLM02:2025 Sensitive Information Disclosure | Sensitive information can affect both the LLM and its application context, including PII, financial details, health records, confidential business data, security credentials and legal documents, as well as proprietary model details. | Mapped | Clear | Sensitive information disclosure spans leakage of personal or sensitive data (MR-009) and disclosure of confidential or proprietary information (MR-013). | |
LLM03:2025 Supply Chain | LLM supply chains are susceptible to various vulnerabilities, which can affect the integrity of training data, models and deployment platforms, resulting in biased outputs, security breaches or system failures. | Mapped | Clear | LLM supply chain is the register's AI supply-chain and infrastructure vulnerabilities risk (MR-018). | |
LLM04:2025 Data and Model Poisoning | Data poisoning occurs when pre-training, fine-tuning or embedding data is manipulated to introduce vulnerabilities, backdoors or biases, compromising model security, performance or ethical behavior. | Mapped | Clear | Data and model poisoning maps directly to MR-014. | |
LLM05:2025 Improper Output Handling | Improper Output Handling refers specifically to insufficient validation, sanitization and handling of the outputs generated by large language models before they are passed downstream to other components and systems. | Mapped | Partial | Improper output handling (unsanitized LLM output passed downstream, enabling XSS, SSRF or RCE) is an integration-boundary failure, closest to insecure integration with external tools and APIs (MR-020); also relates to insecure code generation (MR-019) and manipulation of trusted output (MR-010.4). | |
LLM06:2025 Excessive Agency | Excessive Agency is the vulnerability that enables damaging actions in response to unexpected, ambiguous or manipulated outputs from an LLM granted the ability to call functions or interface with other systems via extensions (tools, skills or plugins). Root causes include excessive functionality, excessive permissions or excessive autonomy. | Mapped | Clear | Excessive agency is the autonomous-agent excessive-agency risk (MR-071), with tool/permission exposure under insecure integration (MR-020). | |
LLM07:2025 System Prompt Leakage | The system prompt leakage vulnerability refers to the risk that the system prompts or instructions used to steer the behavior of the model can also contain sensitive information that was not intended to be discovered. | Mapped | Clear | System prompt leakage is system-prompt and instruction extraction (MR-013.2) under MR-013. | |
LLM08:2025 Vector and Embedding Weaknesses | Vectors and embeddings vulnerabilities present significant security risks in systems utilizing Retrieval Augmented Generation (RAG) with LLMs: weaknesses in how vectors and embeddings are generated, stored or retrieved can be exploited to inject harmful content, manipulate outputs or access sensitive information. | Mapped | Partial | Vector and embedding weaknesses are distributed across RAG poisoning (MR-010.6 and MR-010.7) and embedding-inversion data leakage (MR-009); the register has no single vector-store risk. | |
LLM09:2025 Misinformation | Misinformation occurs when LLMs produce false or misleading information that appears credible, often caused by hallucination, and can lead to security breaches, reputational damage and legal liability; overreliance compounds the harm. | Mapped | Clear | Misinformation spans hallucination / fabricated output (MR-021), information-ecosystem degradation (MR-023) and overreliance (MR-034). | |
LLM10:2025 Unbounded Consumption | Unbounded Consumption covers attacks designed to disrupt service, deplete the target's financial resources (denial of wallet), or even steal intellectual property by cloning a model's behavior, by exploiting uncontrolled inference. | Mapped | Clear | Unbounded consumption covers denial of service and denial of wallet (MR-015) and model cloning or extraction via heavy querying (MR-016). |
Descriptions are each source framework's own text, where it provides one; long entries are clipped here.