AI Security - OWASP LLM Top 10 2025 and LLM06/02 Supply Chain Attack

Introduction

Hello again, this article is part of the AI Security series. I have been discussing AI security and the OWASP LLM top10.

See previous articles in the series here:

• LLM01 and LLM02: AI Security: Prompt Injection and Insecure Output Handling
• LLM03 and its basic concepts: Using ChatGPT for security and introduction of AI security
• LLM04: AI Security - LLM-DOS, and predictions of 2025 and beyond

In this article, I am going to discuss the OWASP LLM Top 10 2025 version and what has changed from the previous version.

OWASP LLM Top 10 2025

So far I have discussed based on the OWASP LLM top10 ver1.1. and used its ranking to list up each vulnerabilities. However, a new edition for 2025 and beyond is published: OWASP Top 10 for LLM Applications 2025 .

While the OWASP Top 10 (for web applications) is updated every 4 years, the OWASP LLM Top 10 is updated annually to address the rapid changes in the capabilities of LLMs.

The changes in the 2025 edition from ver1.1 to date are as follows.
The rankings have changed except for LLM01: Prompt Injection but also LLM07: System Prompt Leakage, LLM08: Vector and Embedding Weakness, and LLM09: Misinformation, which are new to the ranking. Some items from ver1.1 have been renamed as well as ranked (e.g. LLM04: Model Denial of Service -> LLM10: Unbound Consumption). The below diagram is a comparison of the 2025 ranking with ver1.1.

The LLM06 (on ver1.1): Sensitive Information Disclosure’s ranking has moved up to second place in the 2025 version. It can be inferred that there were many leaks of confidential information last year. Also, LLM05 (on ver1.1): Supply Chain Vulnerability has moved up to third place. The 2nd half of this article discusses this.

LLM05 (ver1.1)/LLM03(2025): Supply Chain Vulnerabilities

Supply chain is a term used to describe the sequence of steps involved in the production and maintenance of a product, from the procurement of raw materials to the sale of the product. Most modern products are made by many companies working together, not just one company, and the supply chain concept allows us to understand the process not only for our own company, but also across other companies. Supply chains are not only in hardware but also in software.
And a supply chain attack is not a direct attack on the target company, but an unauthorized intrusion into the target company’s systems by launching attacks on affiliated or outsourced companies that have weaknesses in their security measures. The strength of security measures differs from company to company. Therefore, even if your company has adequate cyber security measures in place, if other companies in your supply chain have vulnerabilities in their systems, your company could be used as a springboard for an intrusion.

This supply chain attack also applies to AI attacks, as AI software uses many OSS and third-party software and libraries. If they have vulnerabilities, attacks against AI models can be established as a result. Models and data trained by other companies are also open to supply-chain attacks.
These external elements can be exploited by tampering and Data Poisoning attacks. Furthermore, the proliferation of on-device LLM has expanded the attack surface for LLM applications, increasing the vulnerability of the entire supply chain.

The document discusses vulnerable Python libraries as one of the examples of a supply chain attack. This was observed in the first Open AI data breach. In this incident, model developers were unintentionally downloading a compromised PyTorch dependency containing malware into the model development environment. Similarly, the Shadow Ray attack against the Ray framework, an AI development environment, is also one of an example of a supply chain attack. 

In 2023, Anyscale, the Ray’s developer, disclosed five vulnerabilities in Ray. Four of those vulnerabilities were fixed in a new release, while the remaining one vulnerability (CVE-2023-48022) was not considered a risk and was not immediately fixed. Oligo Security named CVE-2023-48022  Shadow Ray, meaning shadow vulnerability, as users were concerned that this vulnerability could be exploited by a malicious attacker. Shadow Ray is an example that even if your company had security measures in place, you were at risk of using libraries containing vulnerable code if other companies in your supply chain did not have the same level of security measures. 

Mitigation and prevention strategies of supply chain attacks on AI are not that different from those against normal supply chain attacks. First, scrutinize data sources and suppliers, manage Software Bill of Materials (SBOM), manage S/W licenses, conduct security audits, etc.