Here is HackerOne’s perspective on the Top 10 list for LLM vulnerabilities, how the list has changed, and what solutions can help secure against these risks.

Browse by LLM vulnerability:

  1. Prompt Injection
  2. Sensitive Information Disclosure
  3. Supply Chain Vulnerabilities
  4. Data and Model Poisoning
  5. Improper Output Handling
  6. Excessive Agency
  7. System Prompt Leakage
  8. Vector and Embedding Weaknesses
  9. Misinformation
  10. Unbounded Consumption

The OWASP Top 10 for LLMs: 2024 vs. 2025

2024

Change

2025

LLM01: Prompt Injection

No change

LLM01: Prompt Injection

LLM02: Insecure Output Handling

↓3

LLM02: Sensitive Information Disclosure

LLM03: Training Data Poisoning

↓1

LLM03: Supply Chain Vulnerabilities

LLM04: Model Denial of Service

LLM04: Data and Model Poisoning

LLM05: Supply Chain Vulnerabilities

↑2

LLM05: Improper Output Handling

LLM06: Sensitive Information Disclosure

↑4

LLM06: Excessive Agency

LLM07: Insecure Plugin Design

LLM07: System Prompt Leakage

LLM08: Excessive Agency

↑2

LLM08: Vector and Embedding Weaknesses

LLM09: Overreliance

LLM09: Misinformation

LLM10: Model Theft

LLM10: Unbounded Consumption

LLM01: Prompt Injection

Position change: None

What Is Prompt Injection?

One of the most commonly discussed LLM vulnerabilities, Prompt Injection is a vulnerability during which an attacker manipulates the operation of a trusted LLM through crafted inputs, either directly or indirectly. For example, an attacker leverages an LLM to summarize a webpage containing a malicious and indirect prompt injection. The injection contains “forget all previous instructions” and new instructions to query private data stores, leading the LLM to disclose sensitive or private information.

Solutions to Prompt Injection

Several actions can contribute to preventing Prompt Injection vulnerabilities, including: 

  • Enforcing privilege control on LLM access to the backend system
  • Segregating external content from user prompts
  • Keeping humans in the loop for extensible functionality

LLM02: Sensitive Information Disclosure

Position change: ↑4

What Is Sensitive Information Disclosure?

Sensitive Information Disclosure is when LLMs inadvertently reveal confidential data. This can result in the exposing of proprietary algorithms, intellectual property, and private or personal information, leading to privacy violations and other security breaches. Sensitive Information Disclosure can be as simple as an unsuspecting legitimate user being exposed to other user data when interacting with the LLM application in a non-malicious manner. But it can also be more high-stakes, such as a user targeting a well-crafted set of prompts to bypass input filters from the LLM to cause it to reveal personally identifiable information (PII). Both scenarios are serious, and both are preventable.

Why the Move? 

With the easy integration of LLMs into various systems (databases, internal issue trackers, files, etc.), the risk of sensitive information disclosure has increased significantly. Attackers can exploit these integrations by crafting specific prompts to extract sensitive data such as employee payrolls, Personally Identifiable Information (PII), health records, and confidential business data. Given the rapid adoption of LLMs in organizational workflows without adequate risk assessments, this issue has been elevated in importance.

Solutions to Sensitive Information Disclosure

To prevent sensitive information disclosure, organizations need to:

  • Integrate adequate data input/output sanitization and scrubbing techniques
  • Implement robust input validation and sanitization methods
  • Practice the principle of least privilege when training models
  • Leverage hacker-based adversarial testing to identify possible sensitive information disclosure issues 

LLM03: Supply Chain Vulnerabilities

Position change: ↑2

What Are Supply Chain Vulnerabilities?

The supply chain in LLMs can be vulnerable, impacting the integrity of training data, Machine Learning (ML) models, and deployment platforms. Supply Chain Vulnerabilities in LLMs can lead to biased outcomes, security breaches, and even complete system failures. Traditionally, supply chain vulnerabilities are focused on third-party software components, but within the world of LLMs, the supply chain attack surface is extended through susceptible pre-trained models, poisoned training data supplied by third parties, and insecure plugin design. 

Why the Move? 

The demand for cost-effective and performant LLMs has led to a surge in the use of open-source models and third-party packages. However, many organizations fail to adequately vet these components, leaving them vulnerable to supply chain attacks. Using unverified models, outdated or deprecated packages, or compromised training data can introduce backdoors, biases, and other security flaws. Recognizing the importance of a secure supply chain in mitigating these risks and potential legal ramifications, this vulnerability has moved up the list.

Solutions to Supply Chain Vulnerabilities

Supply Chain Vulnerabilities in LLMs can be prevented and identified by:

  • Carefully vetting data sources and suppliers
  • Using only reputable plug-ins, scoped appropriately to your particular implementation and use cases
  • Conducting sufficient monitoring, adversarial testing, and proper patch management

LLM04: Data and Model Poisoning

Position change: ↓1

What Is Data and Model Poisoning?

Training data poisoning refers to the manipulation of data or fine-tuning of processes that introduce vulnerabilities, backdoors, or biases and could compromise the model’s security, effectiveness, or ethical behavior. It’s considered an integrity attack because tampering with training data impacts the model’s ability to output correct predictions.

Solutions to Data and Mode Poisoning

Organizations can prevent Training Data Poisoning by:

  • Verifying the supply chain of training data, the legitimacy of targeted training data, and the use case for the LLM and the integrated application
  • Ensuring sufficient sandboxing to prevent the model from scraping unintended data sources
  • Use strict vetting or input filters for specific training data or categories of data sources

LLM05: Improper Output Handling

Position change: ↓3

What Is Insecure Output Handling?

Insecure Output Handling occurs when an LLM output is accepted without scrutiny, potentially exposing backend systems. Since LLM-generated content can be controlled by prompt input, this behavior is similar to providing users indirect access to additional functionality, such as passing LLM output directly to backend, privileged, or client-side functions. This can, in some cases, lead to severe consequences like XSS, CSRF, SSRF, privilege escalation, or remote code execution.

Solutions to Improper Output Handling

There are three key ways to prevent Insecure Output Handling:

  • Treating the model output as any other untrusted user content and validating inputs
  • Encoding output coming from the model back to users to mitigate undesired code interpretations
  • Pentesting to uncover insecure outputs and identify opportunities for more secure output

LLM06: Excessive Agency

Position change: ↑2

What Is Excessive Agency?

Excessive Agency is typically caused by excessive functionality, excessive permissions, and/or excessive autonomy. One or more of these factors enables damaging actions to be performed in response to unexpected or ambiguous outputs from an LLM. This takes place regardless of what is causing the LLM to malfunction — confabulation, prompt injection, poorly engineered prompts, etc. — and creates impacts across the confidentiality, integrity, and availability spectrum.

Solutions to Excessive Agency

To avoid the vulnerability of Excessive Agency, organizations should:

  • Limit the tools, functions, and permissions to only the minimum necessary for the LLM
  • Tightly scope functions, plugins, and APIs to avoid over-functionality
  • Require human approval for major and sensitive actions, leverage an audit log

LLM07: System Prompt Leakage

Position change: New

What Is System Prompt Leakage?

This new entry reflects the growing awareness of the risks associated with embedding sensitive information within system prompts. System prompts, designed to guide LLM behavior, can inadvertently leak secrets if not carefully constructed. Attackers can exploit this leaked information to facilitate further attacks.

Solutions to System Prompt Leakage

There are many methods to prevent System Prompt Leakage, including:

  • Never embed sensitive data in system prompts
  • Implement guardrails
  • Avoid relying on system prompts for strict behavior control

LLM08: Vector and Embedding Weaknesses

Position change: New

What Is Vector and Embedding Weaknesses?

LLMs rely on vector embeddings to represent and process information. Weaknesses in how these vectors are generated, stored, or retrieved can be exploited to inject harmful content, manipulate model outputs, or access sensitive data. This can lead to unauthorized access, data leakage, embedding inversion attacks, data poisoning, and behavior alteration.

Solutions to Vector and Embedding Weaknesses

Some key ways to prevent Vector and Embedding Weaknesses include:

  • Implement granular access controls
  • Implement robust data validation pipelines for knowledge sources
  • Classify data within the knowledge base to control access levels and prevent data mismatch errors

LLM09: Misinformation

Position change: New

What Is Misinformation?

This category replaces “Overreliance” and addresses the potential for LLMs to generate and disseminate factually incorrect or misleading information. While overreliance contributes to this problem, the focus shifts to the active generation of misinformation, commonly referred to as hallucinations or confabulations.

Solutions to Misinformation

Here are some of the most important methods for preventing Misinformation:

  • Always cross-check LLM outputs against trusted external sources
  • Break down complex tasks into smaller, manageable subtasks to reduce the likelihood of hallucinations
  • Improve output quality through fine-tuning, embedding augmentation, or other techniques

LLM10: Unbounded Consumption

Position change: New

What Is Unbounded Consumption?

This new entry encompasses the risks associated with excessive resource consumption during LLM inference, including computational resources, memory, and API calls. This can lead to denial-of-service conditions, increased costs, and potential performance degradation. Model theft and Model Denial of Service, previously a separate entry, is now considered a subset of this broader category.

Solutions to Unbounded Consumption

There are several key methods to prevent Unbounded Consumption, including:

  • Sanitize and validate user inputs to prevent malicious or overly complex queries
  • Implement rate-limiting mechanisms to control the number of requests an LLM can process within a given timeframe
  • Restrict access to LLM APIs and resources based on user roles and permissions.
  • Train models to be resistant to adversarial inputs
  • Use Sandbox Techniques restricting the LLM’s access to network resources, internal services, and APIs

Securing the Future of LLMs

This new release by the OWASP Foundation enables organizations looking to adopt LLM technology (or recently did so) to guard against common pitfalls. In many cases, organizations simply are unable to catch every vulnerability. HackerOne is committed to helping organizations secure their LLM applications and to staying at the forefront of security trends and challenges. 

HackerOne’s solutions are effective at identifying vulnerabilities and risks that stem from weak or poor LLM implementations. Conduct continuous adversarial testing through Bug Bounty, targeted hacker-based testing with Challenge, or comprehensively assess an entire application with Pentest or Code Security Audit. 

Contact us today to learn more about how we can help secure your LLM and secure against LLM vulnerabilities.

Similar Posts