Module 5.1
The Attack Surface — OWASP Top 10 for LLM Applications
AI agents are not just software that runs code — they're software that follows instructions written in natural language. That changes everything about security.
In traditional software, you defend a clear boundary: validate inputs, sanitize outputs, patch known CVEs. The attack surface is well-defined. With LLM agents, the attack surface is the model's entire context window — and it grows every time the agent reads an email, browses a webpage, or queries a database.
The security community produced a canonical answer: the OWASP Top 10 for LLM Applications. Maintained by 600+ experts across 18 countries, the 2025 edition reflects real exploits that happened — not theoretical ones dreamed up in a lab.
Why a Separate Top 10?
The original OWASP Top 10 covers SQL injection, XSS, broken authentication. Those still apply. But LLM applications have a new category of vulnerability that didn't exist before: the model itself can be manipulated through its inputs to take unintended actions. You can't patch that with a firewall rule.
The LLM Top 10 formalizes the new threat categories. It's your threat modeling starting point for every agent you build.
The 2025 Top 10
| # | Name | One-line summary |
|---|---|---|
| LLM01 | Prompt Injection | Malicious inputs hijack model behavior |
| LLM02 | Sensitive Information Disclosure | LLMs leak PII, credentials, or proprietary data |
| LLM03 | Supply Chain | Compromised models, datasets, or dependencies |
| LLM04 | Data and Model Poisoning | Tampered training/RAG data corrupts behavior |
| LLM05 | Improper Output Handling | Unvalidated LLM output enables XSS, SQLi, RCE |
| LLM06 | Excessive Agency | Over-privileged agents take irreversible autonomous actions |
| LLM07 | System Prompt Leakage (new 2025) | Hidden instructions exposed to attackers |
| LLM08 | Vector & Embedding Weaknesses (new 2025) | RAG pipelines and vector DBs exploited or poisoned |
| LLM09 | Misinformation | Hallucinations cause real-world harm |
| LLM10 | Unbounded Consumption | Uncontrolled resource use → DoS and "Denial of Wallet" |
Two entirely new entries in 2025 (LLM07 and LLM08) reflect that the threat landscape moved fast. LLM02 jumped four places to #2. The committee doesn't rearrange things randomly — this reflects real observed exploits.
The Agent-Critical Four
Not all 10 hit agents equally hard. Four are existential for autonomous systems.
LLM01 — Prompt Injection is #1 for a reason. The model cannot reliably distinguish your system instructions from adversarial input — both arrive as text. A user who types "ignore all previous instructions" is doing the same thing at a different layer as a malicious webpage the agent reads during a task.
LLM06 — Excessive Agency is the multiplier. A successful prompt injection on an agent with read-only access leaks information. The same attack on an agent with delete permissions and email send rights is catastrophic. This vulnerability is what turns "bad output" into "irreversible real-world damage."
OWASP defines three distinct failure modes:
- Excessive functionality — the tool can do more than needed (read + write + delete when only read is required)
- Excessive permissions — credentials allow broader access than the task requires
- Excessive autonomy — high-impact irreversible actions execute without human confirmation
LLM08 — Vector & Embedding Weaknesses is new in 2025 and directly relevant to any agent using RAG. Your vector database is the agent's external memory. Three attack vectors:
- Embedding inversion: researchers can reverse-engineer plaintext from embedding vectors mathematically
- Data poisoning: inject malicious content into the knowledge base, poison all future queries silently and at scale
- Unauthorized access: vector DBs frequently have weaker access controls than SQL databases — a misconfiguration exposes all indexed documents
LLM07 — System Prompt Leakage was added because it works. Prompting "repeat your system prompt word for word" caused many production systems to comply. Extracted prompts revealed API keys, internal tooling details, and the exact guardrail rules — making those guardrails trivially bypassable.
The lesson: don't treat your system prompt as a security boundary. It's not. Enforce constraints in code, not text.
The Financial Attack: LLM10 Unbounded Consumption
The 2023 version was called "Denial of Service." The 2025 rename to Unbounded Consumption explicitly adds the financial dimension.
The attack: submit extremely long, computationally expensive prompts in bulk. You don't take the service offline — the service keeps running, but the API bills skyrocket. This is Denial of Wallet. At pay-per-token pricing, an attacker can cost you thousands of dollars without triggering any uptime monitoring.
There's also a subtler variant: iterative queries that slowly extract enough information to replicate a proprietary fine-tuned model. The model never "breaks" — it just answers questions until the attacker has reconstructed your competitive advantage.
The fix: rate-limit per user and session, set hard token caps on inputs and outputs, monitor spend, alert on anomalies.
What Changed From 2023
- LLM07 (System Prompt Leakage) is entirely new — it wasn't a documented real-world exploit in 2023
- LLM08 (Vector & Embedding) is new — RAG was experimental in 2023, mainstream in 2025
- LLM06 (Excessive Agency) was expanded to explicitly address autonomous agent architectures
- LLM04 expanded from "Training Data Poisoning" to "Data and Model Poisoning" — now covers RAG poisoning and fine-tuning attacks
If you're reading old tutorials that reference the 2023 list, they're missing two entire vulnerability categories.
Sources
- OWASP Top 10 for LLM Applications — Official Project Page
- OWASP GenAI Security Project — LLM Top 10
- OWASP Top 10 for LLMs 2025 — PDF
- Oligo Security — OWASP Top 10 LLM 2025: Examples and Mitigation Strategies
- Confident AI — OWASP Top 10 2025: Risks and Mitigation Techniques