Inferensys

Glossary

OWASP Top 10 for LLM

An industry-standard awareness document published by the Open Worldwide Application Security Project that identifies the most critical security vulnerabilities specific to large language model applications.
ML engineer fine-tuning language model on laptop, training curves visible on screen, technical deep work session.
SECURITY FRAMEWORK

What is OWASP Top 10 for LLM?

The OWASP Top 10 for LLM Applications is an industry-standard awareness document that identifies and ranks the most critical security vulnerabilities specific to applications leveraging large language models.

Published by the Open Worldwide Application Security Project (OWASP), the OWASP Top 10 for LLM provides a definitive taxonomy of risks including prompt injection, insecure output handling, and training data poisoning. It serves as the foundational security checklist for architects and developers building agentic systems, moving beyond traditional web application risks to address the unique attack surface created by generative AI and autonomous tool-calling.

The framework categorizes threats such as model denial of service, supply chain vulnerabilities, and excessive agency—where an LLM is granted unchecked permissions to execute actions. By defining these critical vulnerabilities, the document enables security engineers to implement a defense-in-depth strategy, ensuring that agentic threat modeling and jailbreak mitigation efforts are aligned with a globally recognized, peer-reviewed standard.

LLM SECURITY FUNDAMENTALS

Frequently Asked Questions

Clear, technical answers to the most common questions about the OWASP Top 10 for Large Language Model Applications, covering the critical vulnerabilities every engineering team must address.

The OWASP Top 10 for LLM Applications is an industry-standard awareness document published by the Open Worldwide Application Security Project that identifies and ranks the ten most critical security vulnerabilities specific to applications leveraging large language models. Unlike the traditional OWASP Top 10 for web applications, this list addresses novel attack surfaces introduced by generative AI, including prompt injection, insecure output handling, training data poisoning, and model denial of service. The document serves as a foundational risk taxonomy for security engineers, CTOs, and compliance officers building or deploying LLM-integrated systems. Each entry includes a description of the vulnerability, common attack scenarios, prevention strategies, and references to related frameworks. The list is maintained by a community of security researchers and AI practitioners, with version 1.0 released in 2023 and subsequent updates reflecting the rapidly evolving threat landscape.

CRITICAL THREAT LANDSCAPE

Core Vulnerability Categories in the OWASP Top 10 for LLM

The OWASP Top 10 for LLM Applications provides a definitive taxonomy of the most critical security vulnerabilities unique to large language model integrations. Each category represents a distinct attack surface requiring specific mitigation strategies.

01

LLM01: Prompt Injection

The most critical vulnerability where adversarial inputs override system instructions or hijack model behavior. Direct injections craft malicious user prompts to bypass safety guardrails, while indirect injections hide instructions in retrieved documents, web pages, or emails that the LLM processes. This attack exploits the model's inability to distinguish between developer-set instructions and untrusted data. Mitigation requires instruction hierarchy frameworks, input sanitization, and privilege separation between system and user contexts.

#1
OWASP Ranking
Critical
Severity Level
02

LLM02: Insecure Output Handling

Occurs when LLM-generated output is passed directly to downstream systems without validation, enabling cross-site scripting, SQL injection, or remote code execution. The model becomes an unwitting attack vector when its responses contain executable code, malicious URLs, or crafted payloads. Defense requires treating all model output as untrusted user input, implementing strict output encoding, and applying context-aware sanitization before consumption by interpreters, databases, or browsers.

RCE
Worst-Case Impact
03

LLM03: Training Data Poisoning

Adversaries corrupt training or fine-tuning datasets to implant backdoors, biases, or vulnerabilities that persist in the deployed model. Poisoned examples can cause targeted misclassification, leak sensitive information when specific triggers appear, or degrade overall model safety. Supply chain attacks on pre-trained models are particularly dangerous. Mitigation requires data provenance verification, anomaly detection in training corpora, and rigorous model evaluation against adversarial benchmarks before deployment.

Persistent
Attack Duration
04

LLM04: Model Denial of Service

Attackers overwhelm LLM infrastructure through resource-intensive queries that cause degraded service, inflated operational costs, or complete system unavailability. Techniques include crafting inputs that trigger infinite generation loops, exploiting attention mechanisms with extremely long contexts, or flooding APIs with concurrent requests. Defense requires rate limiting, input length restrictions, token budget enforcement, and monitoring for anomalous resource consumption patterns.

Cost
Primary Business Impact
05

LLM05: Supply Chain Vulnerabilities

Security risks inherited from third-party components including pre-trained models, fine-tuning datasets, vector databases, and agent plugins. Compromised LangChain packages, malicious HuggingFace models, or vulnerable retrieval plugins can introduce exploits into otherwise secure applications. Mitigation requires software bill of materials tracking, dependency scanning, model signature verification, and strict access controls on plugin execution environments.

3rd Party
Attack Origin
06

LLM06: Sensitive Information Disclosure

LLMs inadvertently reveal personally identifiable information, proprietary code, API keys, or training data through their outputs. This occurs through memorization of training data, context leakage between users, or model inversion attacks that reconstruct private information. Defense requires differential privacy during training, output filtering with regex and NER-based detection, and strict data sanitization before fine-tuning on proprietary datasets.

PII
Primary Data at Risk
Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.