OWASP announced the Top 10:2025 release candidate at Global AppSec DC in the first week of November 2025. RC1 is community-feedback stable, meaning the categories and ordering are unlikely to move materially before final publication, but specific examples and prevention guidance may still shift. For defenders, the RC1 announcement is significant for three reasons: Vulnerable and Outdated Components (A06:2021) has been expanded and renamed Software Supply Chain Failures, capturing the entire ecosystem around dependencies, build systems, and distribution; Security Misconfiguration jumped from #5 in 2021 to #2; and a new category — Mishandling of Exceptional Conditions — joined the list while SSRF was consolidated under Broken Access Control. These are not cosmetic changes. They reflect a multi-year shift in the data OWASP analyzed.
What does the new ordering look like?
The list keeps ten categories. RC1 ordering is: A01 Broken Access Control (unchanged at #1, now including SSRF), A02 Security Misconfiguration (up from #5), A03 Software Supply Chain Failures (expanded from A06:2021's Vulnerable and Outdated Components), then Cryptographic Failures, Injection, Insecure Design, Identification and Authentication Failures, Software and Data Integrity Failures, Security Logging and Monitoring Failures, and A10 Mishandling of Exceptional Conditions (new). The ordering is driven by prevalence in the underlying dataset rather than severity weighting, which is why Misconfiguration leapt despite being a familiar category — modern stacks have more configuration surface area than 2021 stacks did, and CWE-mapped misconfigurations dominated the recent data.
Why "Software Supply Chain Failures" instead of "Vulnerable Components"?
The 2021 category was narrow: it focused on running a known-vulnerable version of a dependency. The 2025 expansion absorbs typosquatting, dependency confusion, malicious maintainer takeover, compromised build infrastructure, unverified provenance, and unsigned releases. The OWASP team explicitly cites four years of breach data including event 3CX, SolarWinds Orion, MOVEit, the polyfill.io CDN compromise, and the Nx s1ngularity attack as evidence that "vulnerable component" no longer captures the actual risk surface. The new category is structurally aligned with NIST SSDF, SLSA, CISA Secure by Design, and the EU Cyber Resilience Act, which makes mapping easier for organizations that already track multiple frameworks.
What is Mishandling of Exceptional Conditions (A10:2025)?
A genuinely new entry covering bugs caused by improper handling of errors, exceptions, and edge cases. Examples include catching exceptions too broadly and silencing them, fail-open authorization paths, race conditions that bypass intended controls, and inconsistent error handling between fast-path and error-path code. The category is informed by CWE-755 (Improper Handling of Exceptional Conditions), CWE-703, and CWE-209. Several recent CVEs cited by the working group involve authorization code that returned an exception object directly to a permission check, which evaluated the object as truthy.
# A10:2025 anti-pattern: exception caught and silenced, then evaluated as success
def is_admin(user):
try:
return rbac.lookup(user).has_role("admin")
except Exception:
return None # callers will sometimes treat None as "deny" and sometimes as "skip"
if is_admin(current_user):
grant_admin_console()
# Bug: an exception path that returns None can be coerced truthy in caller code paths
# that use `if is_admin(user) is not False`, which logs an audit event of "admin accessed"
What happened to SSRF?
Server-Side Request Forgery was its own category at #10 in 2021. In the 2025 release candidate, SSRF is consolidated under Broken Access Control. The rationale: SSRF is ultimately an authorization bypass against an internal-network resource, and the data shows SSRF and BAC findings cluster together in modern applications. Consolidation does not mean SSRF is less important — A01 stays #1 — but it changes how organizations should think about controls. SSRF mitigations (egress allowlists, metadata-service hardening, internal authentication) are now framed as "access control on outbound requests" rather than a separate problem.
What about Insecure Design and Cryptographic Failures?
Both categories remain on the 2025 list but with refreshed guidance. Insecure Design (rank-stable in the middle of the list) received substantially updated examples reflecting modern architecture patterns: insecure design in serverless function compositions, missing rate-limit design in API gateways, and lack of tenant-isolation design in multi-tenant SaaS. The OWASP team also emphasized that threat modeling is no longer optional in 2025; the guidance text under Insecure Design now expects mature programs to be running threat modeling as a continuous activity attached to the design phase of every meaningful change, not as a one-time architecture-review artifact. Cryptographic Failures retained its placement and most of its 2021 scope but added explicit references to post-quantum cryptography readiness — the guidance text recommends that mature programs inventory their cryptographic dependencies (something CycloneDX 1.7 directly supports via its CBOM features) and develop a migration plan ahead of NIST's PQC deprecation timeline for legacy primitives.
How should AppSec teams act on RC1 today?
Three steps. First, map your existing AppSec metrics to the new categories so that when the final 2025 list publishes, your dashboards do not show artificial discontinuity. The supply-chain category in particular benefits from explicit mapping to your SLSA, SBOM, and provenance programs. Second, audit your error-handling code for the A10 anti-patterns; an internal sweep that compares exception flow against intended authorization boundaries finds bugs cheaply. Third, refresh your training content — the Top 10 is the most-referenced training artifact in AppSec, and pre-publishing internal training aligned to the 2025 categories is a low-cost win.
What about Identification and Authentication Failures?
A07:2025 Identification and Authentication Failures stayed on the list but with refreshed guidance. The 2025 text emphasizes phishing-resistant MFA (WebAuthn, passkeys, hardware tokens) over SMS or TOTP, secure session management for both server-rendered and SPA architectures, and credential-stuffing resistance through both technical controls (rate limiting, breached-credential detection) and architectural controls (passwordless authentication where possible). The category reflects ongoing reality that authentication failures remain among the most common application security weaknesses, and that the bar continues to rise — patterns that were considered adequate in 2021 (TOTP, SMS-based recovery) are now considered weaker than current best practice. For organizations measuring AppSec posture, A07 is a useful annual checkpoint on identity hygiene.
How is the underlying data different in 2025?
OWASP Top 10 lists are anchored in two data inputs: a CWE-mapped vulnerability dataset and a community survey. The 2025 RC1 explains that the dataset for this cycle is materially larger than 2021 (more contributing organizations, more applications, more findings) and captures the 2022-2024 period when modern application architectures (microservices, serverless, API-first, AI features) became dominant. The community survey, run in parallel, asks practitioners which categories they believe matter most. Categories that show high data prevalence AND high survey concern tend to rise in ranking; categories that show only one signal tend to stay where they are or fall. The 2025 ordering reflects misconfigurations being both prevalent in the data and frequently called out in the survey, supply chain failures being both prevalent in incidents and consistently flagged by practitioners, and access control being the perennial #1 because it is both the most prevalent and the most concerning. Understanding the methodology helps readers interpret why specific categories moved: the list is empirical, not editorial, and reflects the rolling four-year window of observable application security.
How Safeguard Helps
Safeguard maps the Top 10:2025 categories to platform findings directly. The expanded Software Supply Chain Failures category aligns with the platform's existing supply-chain risk model — SBOM coverage, SLSA provenance verification, signed-release enforcement, typosquatting detection, and maintainer takeover signals all flow into A03 reporting. Misconfiguration findings from connected SCM and CI integrations map to A02. The new Mishandling of Exceptional Conditions category is supported by Griffin AI's code-analysis prompts, which detect the common anti-patterns (broad except-clauses around authorization, fail-open error paths) when scanning repos. For training and reporting, Safeguard generates Top 10:2025-aligned vulnerability summaries grouped by category, with finding density and trend lines per category, so that quarterly AppSec reviews can speak the same vocabulary as the new standard.