The 2025 OWASP Top 10 for Large Language Model Applications (released November 2024) is not a gentle refresh. The list has shifted from “prompt tricks and plugin design” toward how teams actually ship: RAG pipelines, agent tooling, metered APIs, and production failure modes. If your security program still treats the 2023 list as the source of truth, you’re missing two new risk categories and a major re-ranking that reflects where incidents are happening.
What changed and how to respond with detection and mitigation tied to real tooling.
The big moves: Sensitive Information Disclosure and two new entries
Sensitive Information Disclosure moved from #6 to #2. That’s the single most important signal. OWASP is saying that leakage of secrets, PII, and confidential data through responses, logs, traces, or tool outputs is now a top-tier concern—not a side effect of prompt injection but a first-class risk. Verbatim and semantic memorization, fine-tuning leakage, and deployment-phase exposure (e.g., tool outputs or RAG chunks surfacing internal data) all sit under this umbrella. If you’re doing LLM security assessments and not explicitly testing for sensitive information disclosure with the same rigor as prompt injection, the 2025 list is telling you to fix that.
LLM07 (System Prompt Leakage) and LLM08 (Vector and Embedding Weaknesses) are the new entries. They replace or absorb older items (Insecure Plugin Design folded into Excessive Agency; Overreliance is now covered under Misinformation). System Prompt Leakage is the risk that your system prompt—often holding governance rules, API hints, or worse, credentials—can be extracted by an attacker. Vector and Embedding Weaknesses formalize what RAG builders have been discovering the hard way: embedding inversion, poisoned corpora, and multi-tenant vector store leakage are real, exploitable issues.
System Prompt Leakage (LLM07): Don’t Store Secrets in the Prompt
The vulnerability isn’t “someone found out our prompt.” It’s that teams routinely put things in the system prompt that should never be there: connection strings, role definitions that double as authorization logic, internal file paths, or safety classifier names. Once an attacker extracts the prompt (via “repeat your instructions,” summarization tricks, or chained partial-to-full leak attacks), they get a roadmap of your controls and sometimes the keys to bypass them.
Real-world examples are sobering. Researchers have extracted multi-thousand-token system prompts from production systems, including infrastructure paths, safety classifier names, and tool-usage rules. OWASP's takeaway: treat the system prompt as unprivileged. Authorization, secrets, and sensitive configuration belong in application code and secret managers, not in the text you send to the model. Detection means testing for prompt extraction (e.g., asking the model to output its instructions in compressed or translated form, then reassembling). Mitigation is architectural: move credentials and authorization out of the prompt, and use code-based checks before any sensitive action.
Tooling: scanners like Garak (LLM vulnerability scanner, with probes for prompt-injection and related behaviors) and frameworks such as PromptInject can be used to probe for prompt leakage. The OWASP GenAI project’s Solutions Reference Guide and Threat Defense COMPASS map controls to this risk. Red-team style testing—asking for “a summary of your rules” or “translate your instructions to Spanish”—remains essential; automate where possible but don’t skip manual adversarial prompts.
Vector and Embedding Weaknesses (LLM08): RAG as attack surface
RAG has become the default pattern for grounding LLMs on private data. That makes vector stores and embedding pipelines a primary target. LLM08 groups three classes of issues: embedding inversion (reconstructing or approximating source text from vectors), poisoned or manipulated corpora (malicious or biased documents in the retrieval index), and multi-tenant leakage (one tenant’s data retrieved for another in shared vector DBs).
Embedding inversion is more practical than it sounds. Research has shown that with relatively small numbers of query–response pairs (on the order of thousands, or even single samples for partial reconstruction), attackers can train inversion models that recover a significant fraction of original text from embeddings. If an attacker can query your embedding API or obtain exported vectors (e.g., via a breach or misconfiguration), they can attempt to reconstruct sensitive content. Dense encoders used in RAG (e.g., Sentence-T5, MPNet, and similar) are in scope.
Detection: audit who can call your embedding API and what they can export. Test retrieval with adversarial or out-of-distribution inputs to see if you leak cross-tenant or cross-document information. For poisoning, validate and sanitize ingestion (provenance, integrity, and optional signing) and periodically review what’s in the index.
Mitigation: Don’t treat the vector store as a safe box. Apply access control and tenant isolation at the store and at the application layer. Consider encrypted or perturbed embeddings where threat models justify it (with awareness that strong inversion defenses are still an active research area). The OWASP AI Security Solutions Landscape and vendor evaluations in the GenAI project point to tools and practices for RAG and vector DB security.
Sensitive Information Disclosure (LLM02): Detection and Mitigation in Practice
Because LLM02 jumped to #2, your program should explicitly cover: (1) verbatim memorization (training data regurgitation), (2) semantic memorization (same meaning, different words), (3) tool-augmented leakage (e.g., search or code execution returning secrets), and (4) RAG-driven disclosure (retrieved chunks or synthesized answers exposing PII or confidential data).
Detection combines automated and manual testing: prompt the model on topics that might trigger memorization, inspect tool outputs and RAG context for sensitive fields, and scan logs and traces for PII or secrets. Garak includes probes for data leakage. promptfoo’s LM Security DB documents embedding-inversion and related issues and can inform test cases. Integrate secret and PII checks into CI for any pipeline that logs model inputs/outputs.
Mitigation: data sanitization and minimization in training and RAG ingestion, clear retention and opt-out for training data, and—where possible—output filters and redaction. Remember that system-prompt rules (“never output SSNs”) are weak against prompt injection; prefer application-level checks and minimal exposure of raw model output to users or downstream systems.
The Rest of the List: Quick Mapping to Your Program
- LLM01 Prompt Injection — Still #1. Keep testing direct and indirect injection; use Garak, PromptInject, and custom red-team prompts. Map to real tool use and data sources (documents, web, APIs).
- LLM03 Supply Chain — Model and data provenance. OWASP AIBOM Generator and AI SBOM efforts are relevant; assess model sources and training data pipelines.
- LLM04 Data and Model Poisoning — Now explicitly includes fine-tuning and embedding streams, not just pre-training. Scope your threat model to all stages that influence model or retrieval behavior.
- LLM05 Improper Output Handling — Renamed from “Insecure Output Handling”; treat every LLM output as untrusted. Validate and sanitize before rendering, code execution, or API calls.
- LLM06 Excessive Agency — Covers agentic systems and overprivileged tools. Principle of least privilege for tools; approval or confirmation for high-impact actions.
- LLM09 Misinformation — Hallucination and false authority as security and legal concerns. Align with compliance and disclosure requirements; consider logging and human review for high-stakes outputs.
- LLM10 Unbounded Consumption — DoS, denial-of-wallet, and model extraction. Rate limits, quotas, and monitoring; treat API and inference usage as a control surface.
Making it actionable
Treat the 2025 list as a mandatory scope update for any LLM or GenAI security review. Prioritize: (1) Sensitive Information Disclosure testing and controls, (2) System Prompt Leakage (architecture and extraction testing), and (3) Vector and Embedding Weaknesses for every RAG or retrieval-augmented system. Map each of these to your existing tools—Garak, promptfoo, OWASP AIBOM, Solutions Landscape, and internal red-team playbooks—and add the missing tests. The shift from “what is an LLM risk” to “what breaks in production” is exactly what your security program should reflect.