OWASP Top 10:2025 Is Live. SSRF Is Gone, Supply Chain Is #3.

OWASP published the 2025 revision of the Top 10 in May 2026 at owasp.org/Top10/2025/. Compliance teams that anchored audits to the 2021 rank numbers will need new checklists. The category set, in published order:

1. A01:2025 Broken Access Control
2. A02:2025 Security Misconfiguration (was A05:2021)
3. A03:2025 Software Supply Chain Failures (renamed and elevated from A06:2021 Vulnerable Components)
4. A04:2025 Cryptographic Failures (was A02:2021)
5. A05:2025 Injection (was A03:2021)
6. A06:2025 Insecure Design (was A04:2021)
7. A07:2025 Authentication Failures (renamed from Identification and Authentication Failures)
8. A08:2025 Software or Data Integrity Failures
9. A09:2025 Security Logging and Alerting Failures (renamed from Monitoring)
10. A10:2025 Mishandling of Exceptional Conditions (new entrant)

The renames and reorderings matter less than three structural shifts.

SSRF folds into Broken Access Control

Server-Side Request Forgery rode the Capital One breach onto the 2021 list at A10. In 2025 it leaves as a standalone category. CWE-918 is still scanned for, still patched, still exploited. What changed is OWASP's framing. An attacker who can make the server fetch an internal endpoint is, by any honest accounting, exercising access the application did not authorize. Treating SSRF as a separate category created a parallel taxonomy for what is fundamentally a Broken Access Control bug at the network layer. Consolidating the two is a cleaner model, not a softer one.

Practical effect for code review: the patterns to look for are unchanged. The compliance mapping is.

Software Supply Chain Failures absorbs and surpasses Vulnerable Components

A06:2021 Vulnerable and Outdated Components covered known-CVE dependencies. A03:2025 Software Supply Chain Failures covers build-system compromise, malicious packages, abandoned components, IDE-extension trust paths, and package-registry attacks. The category took the top spot in OWASP's community survey, with exactly half of respondents ranking it first.

The reframing is honest. The post-2021 incident catalog (SolarWinds, Log4Shell, 3CX, XZ Utils, the steady churn of malicious npm and PyPI uploads, and the TanStack OIDC token extraction in 2026) does not look like a "Dependabot is enough" problem. A07:2021's framing assumed the threat was a dependency you knew about and forgot to upgrade. The 2025 threat is a dependency that was always malicious, or that became malicious after a maintainer handoff, or that was never declared in your manifest because it was bundled inside a JAR you trusted. See the XZ Utils analysis for a worked example.

If your supply chain security spend still terminates at "we run npm audit," the 2025 list is the formal signal that you are out of step with OWASP as a procurement and audit reference. SBOM generation, transitive reachability, and package-source provenance verification are all in scope.

Mishandling of Exceptional Conditions is the new entrant

A10:2025 covers what OWASP calls "improper error handling, logical errors, failing open, and other related scenarios stemming from abnormal conditions." The grouped CWEs:

• CWE-209 Generation of Error Message Containing Sensitive Information
• CWE-234 Failure to Handle Missing Parameter
• CWE-274 Improper Handling of Insufficient Privileges
• CWE-476 NULL Pointer Dereference
• CWE-636 Not Failing Securely ("Failing Open")

The reference incident, though OWASP does not name it explicitly, is the July 2024 CrowdStrike Falcon update that blue-screened roughly 8.5 million Windows systems globally. A malformed configuration file reached a kernel driver that dereferenced a NULL pointer. CrowdStrike was not breached. The vulnerability was structural: code that met its happy path with confidence and met its unhappy path with a system crash.

Most SAST tools historically classified this family as code quality rather than security. The 2025 promotion of the category reverses that prioritization. Catch-all blocks that swallow exceptions, authentication middleware that does not fail closed when its IdP times out, and response handlers that emit stack traces in production are now reportable security findings, not just lint output.

What to do with the new categories

Three concrete actions for teams that take the 2025 list as more than a marketing artifact.

First, rebuild the CWE-to-category mapping. A finding tagged as A03:2021 Injection is not the same finding under the 2025 numbering. Auditors and customer-facing security questionnaires will refer to the new numbers within months. Mapping CWE-79 and CWE-89 under A05:2025 is mechanical work, but it has to happen before the next renewal cycle.

Second, expand supply chain detection to match the A03 scope. Pure manifest scanning is not sufficient for a category that explicitly includes build-system compromise. Binary composition analysis (looking inside JARs, wheels, and container layers) and reachability analysis (which vulnerable functions are actually called) are the two upgrades that close the gap between an A06:2021 program and an A03:2025 one. The Log4Shell graph-blindness analysis is the canonical illustration.

Third, audit your error-handling code for A10. The CWEs OWASP grouped are not new, but the framing as security rather than quality is. Search your codebase for empty catch blocks, for default exception handlers that return generic 200s, and for middleware that proceeds when its dependency is unreachable. These are now in scope.

Where Deva maps

Deva's compliance preset ships the 2025 numbering. Each finding carries its A0X:2025 designation alongside its CWE. For categories without a single-CWE anchor (A03 Supply Chain, A09 Logging and Alerting, A10 Exceptional Conditions), the scanner uses rule packs that flag the structural patterns:

• A03 Software Supply Chain Failures: SCA against the 27K-CVE catalog, transitive dependency analysis, malicious package detection, build-config scanning.
• A09 Security Logging and Alerting Failures: state-changing operations without audit-log writes, log statements that capture sensitive payloads (CWE-532), error handlers that expose stack traces (CWE-209).
• A10 Mishandling of Exceptional Conditions: exception-swallowing catch blocks, authentication middleware that does not fail closed, missing rollback on interrupted transactions, NULL dereferences in nullable-typed languages.

Full per-category mapping is on the OWASP Top 10:2025 landing page. Per-CWE deep guides are in the CWE index.