🚨 OWASP Top 10 (2025) is here!

With some really interesting changes that every developer and security engineer should pay attention to.

For context — OWASP releases its Top 10 web vulnerability categories every 4 years, with the last version released in 2021.

Here are a few major changes this time around 👇

1️⃣ Injection going down the list
This trend makes sense — most modern frameworks now provide strong, built-in protection. Unless a developer really tries to break something, these issues are becoming less common.

2️⃣ SSRF merged into Access Control
This one’s a bit odd. I’m still digging into the reasoning behind it — feels like a stretch, but let’s see how the community interprets it.

3️⃣ A new category: Mishandling of Exceptional Conditions
This one caught my eye. It’s an interesting addition and reflects how subtle error handling flaws can have major security impact.

💡 Access Control remains the king.
Even with AI becoming incredibly capable, it still struggles to test access control properly — every app has its own roles, logic, and edge cases. I don’t see that changing anytime soon.

Now I’m curious —
👉 Do you think Business Logic Vulnerabilities will fall under this new “Exceptional Conditions” category?

Drop your thoughts in the comments — would love to hear how others interpret this year’s changes.