OWASP Top 10:2025 – Release Candidate (RC1) is the new draft version of the OWASP Top 10, published on 6 November 2025 as the 8th edition of the project. It’s “almost final” but still open for community feedback and minor adjustments. (OWASP Foundation)

Below is a structured “complete details” view you can reuse in training.

---

1. What is OWASP Top 10:2025 RC1?

• It’s the 2025 update of the OWASP Top Ten – the list of the 10 most critical web application security risks.
• Status: Release Candidate 1 (RC1) – i.e. a near-final draft open for comments and issues on GitHub. (OWASP Foundation)
• It keeps the same spirit as 2021 (data-informed + survey + expert review) but:
  • Adds two new categories
  • Expands the supply-chain risk area
  • Consolidates SSRF into Broken Access Control
  • Focuses more explicitly on root causes than symptoms. (OWASP Foundation)

---

2. The OWASP Top 10:2025 RC1 List

From the official OWASP introduction page: (OWASP Foundation)

1. A01:2025 – Broken Access Control
2. A02:2025 – Security Misconfiguration
3. A03:2025 – Software Supply Chain Failures ⭐ (new / expanded)
4. A04:2025 – Cryptographic Failures
5. A05:2025 – Injection
6. A06:2025 – Insecure Design
7. A07:2025 – Authentication Failures (renamed)
8. A08:2025 – Software or Data Integrity Failures
9. A09:2025 – Logging & Alerting Failures (renamed)
10. A10:2025 – Mishandling of Exceptional Conditions ⭐ (new)

---

3. High-level Overview of Each Category

A01:2025 – Broken Access Control

• What: Users can access data or functions they shouldn’t (horizontal/vertical privilege escalation, IDOR, forced browsing, SSRF folded in).
• Change vs 2021: Still #1 risk. Now explicitly includes SSRF, which was a separate A10 in 2021. (OWASP Foundation)
• Examples:
  • Regular user accessing /admin functions
  • Modifying IDs in URLs to see other users’ data
  • SSRF via misused internal endpoints (now treated as an access control failure)

---

A02:2025 – Security Misconfiguration

• What: Failures in securely configuring applications, frameworks, servers, cloud services, or containers.
• Change vs 2021: Moves from #5 (2021) up to #2 (2025); almost every app tested had at least one misconfiguration. (OWASP Foundation)
• Examples:
  • Default credentials or sample apps left enabled
  • Open S3 buckets / public storage
  • Missing security headers
  • Unnecessary services / verbose error messages

---

A03:2025 – Software Supply Chain Failures ⭐

• What: Compromises in dependencies, build pipelines, repositories, or distribution channels – not just “using outdated components”.
• Change vs 2021: This is a major expansion of 2021’s “Vulnerable and Outdated Components”, extended to the full supply chain (malicious packages, compromised maintainers, tampered build artifacts). (OWASP Foundation)
• Examples:
  • Installing a malicious NPM/NuGet/PyPI package
  • Compromised CI/CD pipeline injecting backdoors
  • Tampered container base images

---

A04:2025 – Cryptographic Failures

• What: Incorrect, weak, or missing use of cryptography; poor key management; broken protocols.
• Change vs 2021: Same category, now #4 instead of #2. Still very prevalent (3.8% of apps had one or more crypto-related CWEs in data). (OWASP Foundation)
• Examples:
  • Using outdated algorithms (MD5, SHA-1)
  • No encryption for sensitive data in transit or at rest
  • Hardcoded encryption keys

---

A05:2025 – Injection

• What: Untrusted input interpreted as code/commands (SQL, NoSQL, OS, LDAP, Expression Language, XSS, etc.).
• Change vs 2021: Still present, drops from #3 to #5 but remains one of the most tested categories with many associated CVEs and CWEs. (OWASP Foundation)
• Examples:
  • SQL injection via query concatenation
  • OS command injection in shell calls
  • XSS in templating or HTML output

---

A06:2025 – Insecure Design

• What: Flaws at the architectural / design level, independent of any specific implementation bug.
• Change vs 2021: Introduced in 2021 and now slides from #4 to #6 because misconfiguration and supply-chain risks jumped ahead. (OWASP Foundation)
• Examples:
  • No threat modeling or misuse-case scenarios
  • Flows that allow money transfer without strong verification
  • Relying solely on client-side controls

---

A07:2025 – Authentication Failures

• What: Problems with authentication mechanisms – login, session management, password reset, MFA flows, etc.
• Change vs 2021: Same position (#7), but renamed from “Identification and Authentication Failures” to simply “Authentication Failures” to better reflect the mapped CWEs. (OWASP Foundation)
• Examples:
  • Weak password policies or no rate limiting
  • Session IDs exposed in URLs
  • Broken “remember me” or token handling

---

A08:2025 – Software or Data Integrity Failures

• What: Failures to verify the integrity & authenticity of code, configuration, or data – especially at a lower level than A03 (supply chain). (OWASP Foundation)
• Change vs 2021: Same category, same ranking (#8); now clearly positioned as complementing A03.
• Examples:
  • Unsigned or unverified updates
  • Insecure deserialization
  • Trusting untrusted data sources

---

A09:2025 – Logging & Alerting Failures

• What: Missing, incomplete, or un-actionable logging; lack of alerting on important security events.
• Change vs 2021: Renamed from “Security Logging and Monitoring Failures” to “Logging & Alerting Failures” to emphasize that alerting on logged events is critical. Still at #9. (OWASP Foundation)
• Examples:
  • No logs for auth failures or permission violations
  • Logs exist, but no alerts / correlation / monitoring
  • Logs stored in a way that can be easily tampered with

---

A10:2025 – Mishandling of Exceptional Conditions ⭐

• What: Issues stemming from poor error and exception handling, failing open, or incorrect logic around abnormal system states. (OWASP Foundation)
• Change vs 2021: Brand-new category introduced in 2025.
• Examples:
  • Catching all exceptions and returning success
  • Suppressing security-related errors (e.g., signature verification failures)
  • Removing or bypassing validation logic in “error” paths

This category formalizes a class of bugs that were previously spread across others (e.g., injection, auth issues) but share the theme of bad behavior when things go wrong.

---

4. What’s Changed vs OWASP Top 10:2021 (Summary)

From OWASP’s own “What’s changed” section: (OWASP Foundation)

1. Two new categories:

• A03 – Software Supply Chain Failures
• A10 – Mishandling of Exceptional Conditions

2. One consolidation:

• SSRF is no longer its own item; it’s rolled into A01 (Broken Access Control) as one way of improperly exposing internal resources.

3. Renames / re-framing:

• A07 renamed to “Authentication Failures”
• A09 renamed to “Logging & Alerting Failures”
• Emphasis on root causes (misconfiguration, cryptographic failures, supply chain) rather than symptoms.

4. Ranking shifts:

• Security Misconfiguration jumps to #2
• Software Supply Chain Failures debuts at #3
• Insecure Design, Cryptographic Failures, Injection move slightly down but remain core risks.

---

5. How OWASP Built the 2025 RC

OWASP describes its methodology clearly: (OWASP Foundation)

1. Massive data set
   • Over 2.8 million applications analysed from multiple vendors and organizations. (OWASP Foundation)
   • 589 CWEs considered in raw data, with 248 CWEs ultimately mapped into the 10 categories. (OWASP Foundation)
2. CWE + CVE + CVSS analysis
   • Used OWASP Dependency-Check data to associate CVEs with CWEs. (OWASP Foundation)
   • Calculated average Exploitability and Technical Impact scores using a combination of CVSS v2 and v3. (OWASP Foundation)
3. Prevalence calculation
   • For each CWE, they looked at the percentage of applications with at least one instance (not the raw count of issues). (OWASP Foundation)
4. Root-cause focus
   • Categories deliberately focus on root causes (e.g., “Software Supply Chain Failures”) instead of just symptoms. (OWASP Foundation)
5. Community survey
   • Only 8 of the 10 categories strictly come from data; 2 are promoted by the global community survey to make sure emerging risks (like supply-chain or logging issues) are not missed. (OWASP Foundation)
6. Release Candidate & feedback loop
   • RC1 published 6 November 2025, with a public comment period via GitHub issues and feedback forms. (OWASP Foundation)

---

6. What Does the 2025 RC Mean for You (Practically)?

For training and slides

• You can now teach both:
  • OWASP Top 10:2021 – still the current “official” stable list
  • OWASP Top 10:2025 RC1 – the upcoming version, showing where the industry is heading.
• Emphasize supply chain risk and exception-handling issues, since these are the standout additions.

For secure SDLC / DevSecOps

• Strengthen:
  • SBOMs and SCA (Software Supply Chain Failures)
  • CI/CD hardening, artifact signing, package provenance
  • Error/exception-handling patterns, especially “fail-closed” behavior
• Update your:
  • Threat modeling checklists
  • Secure coding standards
  • Test cases and pipelines (e.g., scanning dependencies & images)

For your future OWASP course

I’d strongly suggest:

• Have one module on 2021 (because many compliance docs still reference it).
• Have a “New in 2025” module that:
  • Explains A03 and A10 in depth
  • Shows how A06 (Vulnerable Components) → A03 (Supply Chain Failures) evolved
  • Highlights SSRF’s consolidation into A01
  • Links 2025 categories to ASVS, WSTG, and SAMM.

---