// OWASP

OWASP LLM Top 10 (2025) — Deep Dive with Claude Examples

OWASP's LLM Top 10 is the de-facto vocabulary for LLM application risk. The 2025 revision tightened definitions and added agency and vector-DB risks. This deep dive maps each entry to a Claude-era exploit and to specific controls.

Updated 2026-06-0514 min readVendor-neutral · primary sources

The 2025 list at a glance

  1. LLM01 Prompt Injection
  2. LLM02 Sensitive Information Disclosure
  3. LLM03 Supply Chain
  4. LLM04 Data and Model Poisoning
  5. LLM05 Improper Output Handling
  6. LLM06 Excessive Agency
  7. LLM07 System Prompt Leakage
  8. LLM08 Vector and Embedding Weaknesses
  9. LLM09 Misinformation
  10. LLM10 Unbounded Consumption

Deep dive with concrete Claude examples

LLM01 Prompt Injection

Direct, indirect, and multimodal. In 2026 the most-exploited variant is indirect injection through MCP-fetched content. Control: instruction-hierarchy enforcement, output classifiers, untrusted-content tags.

LLM02 Sensitive Information Disclosure

Includes system-prompt extraction, training-data regurgitation, and per-tenant leakage. Control: redact-at-egress, no-secrets-in-system-prompt, embedding-store scoping.

LLM03 Supply Chain

Compromised fine-tunes, poisoned base models, malicious LoRA adapters, typosquatted Python packages on HuggingFace and PyPI. Control: SBOM for models, signature verification, pinned hashes.

LLM04 Data & Model Poisoning

Most relevant when you fine-tune or run RAG against user-contributed data. Control: provenance metadata, anomaly detection on training batches.

LLM05 Improper Output Handling

Treating model output as trusted HTML/SQL/shell. Classic XSS through markdown rendering of model output is a 2026 favourite. Control: contextual output encoding, sandboxed renderers.

LLM06 Excessive Agency

Giving the model tools it does not strictly need. Control: least-privilege tool scopes, human-in-the-loop on irreversible actions, time-boxed credentials.

LLM07 System Prompt Leakage

Trivially exploitable on most apps. Mitigation: do not store secrets in the system prompt; assume it is public.

LLM08 Vector & Embedding Weaknesses

Cross-tenant retrieval, embedding-inversion attacks, poisoned chunks. Control: per-tenant namespaces, signed chunks, dimension-aware access control.

LLM09 Misinformation

Hallucination becomes a security issue when it triggers automated action. Control: cite-or-refuse, grounding constraints, abstention training.

LLM10 Unbounded Consumption

Token DoS, prompt-bomb attacks, infinite-loop tool calls. Control: per-tenant rate and token quotas, max-steps for agents, circuit breakers.

FAQ

Is OWASP LLM Top 10 enough for compliance?

No. Use it as a hygiene baseline alongside NIST AI RMF and ISO/IEC 42001.

How often is the list revised?

Roughly annually. 2025 was the first major revision; expect 2027 changes around agent-specific risks.

// keep reading

Browse 300+ cybersecurity prompts, 40+ Claude-compatible tools, and daily AI-security intel.

Cybersecurity Prompts →Tool DirectoryMethodology