DARR
Reverse crosswalk

OWASP Top 10 for LLM Applications 2025

10 entries, 10 mapped to canonical risks. Each entry below is shown with the canonical risk it maps to, or the reason it sits outside the register.

Framework entryDescriptionDispositionRegister mappingConfidenceNote
LLM01:2025
Prompt Injection
A Prompt Injection Vulnerability occurs when user prompts alter the LLM's behavior or output in unintended ways. These inputs can affect the model even if they are imperceptible to humans.
MappedClearPrompt injection maps directly to MR-010 and its direct and indirect injection sub-risks.
LLM02:2025
Sensitive Information Disclosure
Sensitive information can affect both the LLM and its application context, including PII, financial details, health records, confidential business data, security credentials and legal documents, as well as proprietary model details.
MappedClearSensitive information disclosure spans leakage of personal or sensitive data (MR-009) and disclosure of confidential or proprietary information (MR-013).
LLM03:2025
Supply Chain
LLM supply chains are susceptible to various vulnerabilities, which can affect the integrity of training data, models and deployment platforms, resulting in biased outputs, security breaches or system failures.
MappedClearLLM supply chain is the register's AI supply-chain and infrastructure vulnerabilities risk (MR-018).
LLM04:2025
Data and Model Poisoning
Data poisoning occurs when pre-training, fine-tuning or embedding data is manipulated to introduce vulnerabilities, backdoors or biases, compromising model security, performance or ethical behavior.
MappedClearData and model poisoning maps directly to MR-014.
LLM05:2025
Improper Output Handling
Improper Output Handling refers specifically to insufficient validation, sanitization and handling of the outputs generated by large language models before they are passed downstream to other components and systems.
MappedPartialImproper output handling (unsanitized LLM output passed downstream, enabling XSS, SSRF or RCE) is an integration-boundary failure, closest to insecure integration with external tools and APIs (MR-020); also relates to insecure code generation (MR-019) and manipulation of trusted output (MR-010.4).
LLM06:2025
Excessive Agency
Excessive Agency is the vulnerability that enables damaging actions in response to unexpected, ambiguous or manipulated outputs from an LLM granted the ability to call functions or interface with other systems via extensions (tools, skills or plugins). Root causes include excessive functionality, excessive permissions or excessive autonomy.
MappedClearExcessive agency is the autonomous-agent excessive-agency risk (MR-071), with tool/permission exposure under insecure integration (MR-020).
LLM07:2025
System Prompt Leakage
The system prompt leakage vulnerability refers to the risk that the system prompts or instructions used to steer the behavior of the model can also contain sensitive information that was not intended to be discovered.
MappedClearSystem prompt leakage is system-prompt and instruction extraction (MR-013.2) under MR-013.
LLM08:2025
Vector and Embedding Weaknesses
Vectors and embeddings vulnerabilities present significant security risks in systems utilizing Retrieval Augmented Generation (RAG) with LLMs: weaknesses in how vectors and embeddings are generated, stored or retrieved can be exploited to inject harmful content, manipulate outputs or access sensitive information.
MappedPartialVector and embedding weaknesses are distributed across RAG poisoning (MR-010.6 and MR-010.7) and embedding-inversion data leakage (MR-009); the register has no single vector-store risk.
LLM09:2025
Misinformation
Misinformation occurs when LLMs produce false or misleading information that appears credible, often caused by hallucination, and can lead to security breaches, reputational damage and legal liability; overreliance compounds the harm.
MappedClearMisinformation spans hallucination / fabricated output (MR-021), information-ecosystem degradation (MR-023) and overreliance (MR-034).
LLM10:2025
Unbounded Consumption
Unbounded Consumption covers attacks designed to disrupt service, deplete the target's financial resources (denial of wallet), or even steal intellectual property by cloning a model's behavior, by exploiting uncontrolled inference.
MappedClearUnbounded consumption covers denial of service and denial of wallet (MR-015) and model cloning or extraction via heavy querying (MR-016).

Descriptions are each source framework's own text, where it provides one; long entries are clipped here.