OWASP Top 10 (2025)

OWASP Top 10. Mapped to Deva detection.

The OWASP Top 10 is the standard awareness document for web application security. The 2025 edition is the current released version. Major changes from 2021: Software Supply Chain Failures elevated to A03, Security Misconfiguration to A02, SSRF dropped off the list (consolidated under A01 Broken Access Control), and Mishandling of Exceptional Conditions is the new entrant at A10. Each category below links to the underlying CWE detection guides Deva ships, real-world breaches that fell into the category, and the compliance frameworks that explicitly require coverage.

A01Critical

Broken Access Control

Authorization that fails to enforce who can do what.

What it is

Broken access control retains the #1 position in OWASP Top 10:2025. It covers any path by which a user performs an action they should not be authorized to perform: bypassing access checks via URL manipulation, modifying request metadata, accessing another user's resources via Insecure Direct Object Reference (IDOR), elevating privileges, or performing state changes that should require additional confirmation. Modern web frameworks ship with secure-by-default access patterns, but mis-applied or skipped checks remain the dominant root cause of disclosed breaches. The 2025 edition also explicitly includes server-side request forgery patterns under this category (which was previously its own A10:2021 entry).

Common patterns

  • IDOR: fetching a resource by a request-supplied ID without verifying the authenticated user owns or has rights to it.
  • Skipping authorization on backend APIs because the UI does not surface a link to the action.
  • CSRF: state-changing operations that lack a token, SameSite cookie attribute, or origin check.
  • Privilege escalation through parameter tampering (role=admin in a request body).
  • Path traversal allowing read or write of files outside the intended directory.
  • SSRF: server-side fetches against user-supplied URLs without allowlist or IMDS protection.
  • CORS misconfiguration that allows credentialed requests from any origin.

CWE guides Deva ships for A01

What Deva detects

Deva detects API handlers that accept resource IDs from the request without enforcing an ownership predicate in the database query. The scanner identifies routes lacking authentication middleware on sensitive paths, missing CSRF token validation on state-changing endpoints, and path operations that do not canonicalize against a permitted root. SSRF-prone fetches and IMDS-targeted requests are flagged with allowlist-resolver fix suggestions.

Real-world breaches in this category

2019

Capital One (100M records)

A WAF misconfiguration combined with SSRF and broken access control allowed exfiltration of credit application data for over 100 million Americans. The compromised IAM role had access to S3 buckets that should have been outside its authorization scope.

2022

Optus (10M records)

An exposed API endpoint without authorization checks allowed enumeration of customer records by incrementing an identifier. The endpoint was not internet-facing in design but had been published on a misconfigured subdomain.

2018

USPS Informed Visibility API

A REST API allowed any logged-in usps.com user to query mailing data for any user account by changing a parameter, exposing data for roughly 60 million users until disclosure.

Compliance impact

  • ·NIST 800-53 AC-3 Access Enforcement, AC-6 Least Privilege
  • ·PCI-DSS v4.0 Req 7.2 Access control system
  • ·HIPAA 164.312(a)(1) Access Control
  • ·CMMC 2.0 AC.L2-3.1.1, AC.L2-3.1.2
  • ·GDPR Article 32 Security of processing
A02High

Security Misconfiguration

Insecure defaults, unnecessary features, or misapplied permissions left in production.

What it is

Security Misconfiguration moves up from A05:2021 to A02 in 2025, reflecting that configuration drift is now the #2 most common cause of exposure across applications tested. The category covers any deployment state where a system is exposed because of how it is configured, not how it is coded. Examples include cloud storage buckets with public-read access, debug endpoints reachable in production, default credentials never changed, XML parsers with external entities enabled, unnecessary features running on production hosts, and missing security headers (Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options). XML External Entity (XXE) is consolidated into this category in 2025.

Common patterns

  • S3, GCS, or Azure Blob storage with public-read or list-bucket permissions on private data.
  • XML parsers (lxml, DocumentBuilderFactory, XmlReader) instantiated without disabling external entities (XXE).
  • Verbose error pages or debug endpoints (DEBUG=True in Flask/Django, app.debug=true in Express) live in production.
  • Default credentials on databases, admin panels, or management interfaces.
  • Security headers missing or misconfigured: no HSTS, weak CSP, missing X-Frame-Options.
  • Cloud IAM policies with wildcard resources (Resource: *) on actions that should be scoped.

CWE guides Deva ships for A02

What Deva detects

Deva includes IaC scanning rules for Dockerfile, Kubernetes manifests, Terraform, and CloudFormation. The rule pack flags S3 buckets with PublicRead ACLs, IAM policies with Resource:'*', containers running as root, Kubernetes services without network policies, and missing security headers in framework configs. XML parser instantiations without secure-defaults arguments are reported per language. Debug-flag detectors flag production configs that leave verbose error handling enabled.

Real-world breaches in this category

2017

Verizon (14M records via S3)

A vendor-managed S3 bucket containing customer service call data was set to public read. The exposure was discovered during a routine third-party audit. The same pattern has been the root cause of dozens of large disclosures since 2017.

2020

Microsoft Power Apps (38M records)

Default OData API permissions on Microsoft Power Apps portals made customer data publicly queryable. The defaults were technically documented but not surfaced clearly to administrators, illustrating how misconfiguration risk shifts when the secure-by-default expectation is unmet.

Compliance impact

  • ·NIST 800-53 CM-6 Configuration Settings, CM-7 Least Functionality
  • ·PCI-DSS v4.0 Req 2.2 Secure configurations
  • ·CMMC 2.0 CM.L2-3.4.1 Baseline configuration, CM.L2-3.4.6 Least functionality
  • ·FedRAMP CM-6, CM-7
A03Critical

Software Supply Chain Failures

Breakdowns or malicious changes in the process of building, distributing, or updating software.

What it is

Software Supply Chain Failures is the renamed and significantly expanded successor to A06:2021 Vulnerable and Outdated Components. It moves up to #3 and broadens scope beyond just known-vulnerable dependencies to include all supply chain compromises: malicious packages, build-system attacks, IDE-extension compromises, and unmaintained components. Top-ranked in the 2025 community survey with 50% of respondents placing it #1. OWASP's relevant CWEs include CWE-477 (Obsolete Function), CWE-1104 (Unmaintained Third-Party Components), CWE-1329 (Reliance on Component That is Not Updateable), and CWE-1395 (Dependency on Vulnerable Third-Party Component).

Common patterns

  • Direct or transitive dependencies on packages with published CVEs and available patches.
  • Versions pinned to ranges (^1.2.3) that pull in compromised versions when an upstream account is hijacked.
  • Typosquatting: installing 'reactt' (typo) instead of 'react' and getting an attacker-controlled package.
  • Out-of-date container base images that ship known-vulnerable system libraries.
  • Use of packages whose maintainers have abandoned them, leaving published vulnerabilities unpatched.
  • Build systems (CI/CD, package registries, IDE extensions) compromised upstream of your code.
  • Components installed without integrity hashes or signature verification.

What Deva detects

Deva's SCA layer maintains a 27,000+ CVE advisory catalog synced from NVD, GHSA, and OSV, cross-referenced against a 2,800+ package metadata catalog. Scans match every direct and transitive dependency against the catalog, surfacing CVE ID, severity, fix version, and reachability indicators. Container scans use the same CVE catalog applied to base image system packages. The dsc CLI runs SCA as a CI step alongside SAST. Package metadata flags (low maintainer count, abandoned status, suspicious version ranges) are reported as advisories.

Real-world breaches in this category

2017

Equifax (Apache Struts CVE-2017-5638)

Apache Struts had a published CVE with patches available for 60+ days when Equifax was breached through the same vulnerability. The disclosure stage was textbook supply chain: a known vulnerable component that was not updated.

2021

Log4Shell (CVE-2021-44228)

A remote code execution vulnerability in the ubiquitous Log4j logging library affected tens of thousands of organizations. The transitive nature of the dependency made it difficult to find: organizations did not always know they were using Log4j until they scanned for it.

2024

XZ Utils backdoor (CVE-2024-3094)

A multi-year social engineering campaign placed a backdoor in the upstream xz-utils compression library. The backdoor targeted SSH authentication on Linux systems. The supply-chain attack was caught by an unrelated performance regression before mass exploitation.

2020

SolarWinds Orion (multiple victims)

Attackers gained access to SolarWinds' build pipeline and injected malicious code into Orion update packages signed with SolarWinds' legitimate signing key. Thousands of organizations including US federal agencies installed the trojaned updates. The canonical build-system supply chain attack.

Compliance impact

  • ·NIST 800-53 RA-5 Vulnerability Monitoring, SI-2 Flaw Remediation, SR Supply Chain Risk Management
  • ·PCI-DSS v4.0 Req 6.3 Custom and third-party software vulnerabilities
  • ·HIPAA 164.308(a)(8) Evaluation
  • ·CMMC 2.0 RA.L2-3.11.2 Vulnerability scan, SI.L2-3.14.1 Flaw remediation
  • ·EO 14028 SBOM requirements for federal software
A04High

Cryptographic Failures

Sensitive data exposed because cryptography is missing, weak, or misused.

What it is

Cryptographic Failures moves down from A02:2021 to A04:2025 as Security Misconfiguration and Supply Chain Failures overtake it in prevalence. The category covers any path by which sensitive data is exposed because of inadequate cryptographic protection. Manifestations include missing encryption in transit or at rest, weak algorithms (DES, MD5, SHA-1 for passwords), hardcoded credentials, weak or predictable random number generation, and improper key management. The consequences of disclosure are often immediate and unrecoverable: leaked passwords cannot be unleaked.

Common patterns

  • Hashing passwords with fast algorithms (MD5, SHA-256) instead of bcrypt, argon2, or scrypt.
  • AES with ECB mode (visible patterns) or CBC without HMAC (padding oracle vulnerabilities).
  • Hardcoded API keys, database passwords, or signing secrets in source code.
  • Math.random or other non-cryptographic PRNGs used for tokens, session IDs, or salts.
  • HTTP endpoints transmitting credentials, tokens, or PII without TLS.
  • Stack traces, debug pages, or error responses that include sensitive system or user data.

CWE guides Deva ships for A04

What Deva detects

Deva matches algorithm and mode constructors across language ecosystems and flags use of broken or unsuitable primitives in security contexts. The scanner runs high-confidence regex detectors for AWS keys, Stripe tokens, GitHub PATs, OpenAI and Anthropic keys, and other credential formats. Error-handling rules flag handlers that return stack traces, debug objects, or full request bodies to clients.

Real-world breaches in this category

2017

Equifax (147M records)

Sensitive consumer data was exfiltrated in part because of unencrypted internal traffic and credentials stored in plaintext on internal systems. Initial access was via an unpatched Apache Struts vulnerability, but the impact was amplified by cryptographic failures downstream.

2022

LastPass (encrypted vault leak)

Encrypted password vaults were exfiltrated from a backup. Vault contents were protected by user master passwords. Master passwords with weak entropy and old (pre-2018) hashing iterations remained crackable offline.

Compliance impact

  • ·NIST 800-53 SC-13 Cryptographic Protection, IA-5 Authenticator Management
  • ·PCI-DSS v4.0 Req 3.6 Cryptographic key management, Req 8.3.2 Strong cryptography
  • ·HIPAA 164.312(a)(2)(iv) Encryption and Decryption, 164.312(e)(2)(ii) Encryption in transit
  • ·FedRAMP SC-13 Cryptographic Protection
  • ·GDPR Article 32 (pseudonymization, encryption)
A05Critical

Injection

Untrusted input interpreted as code or commands by a downstream interpreter.

What it is

Injection drops from A03:2021 to A05:2025 but remains a critical category. It covers any vulnerability in which an attacker supplies data that the application then passes to an interpreter (SQL, shell, OS, expression engine, template, LDAP, XPath) without proper validation or parameterization. The interpreter executes the injected content, often granting the attacker the privileges of the application's identity in that subsystem. SQL injection in particular has appeared in every published OWASP Top 10 since the document's inception.

Common patterns

  • SQL queries built by string concatenation or template-string interpolation of user input.
  • Shell commands constructed from request parameters (filename, URL, hostname).
  • eval, new Function, or exec called with user-controlled strings.
  • NoSQL injection through MongoDB query operators accepted from request bodies ($where, $regex).
  • LDAP injection in directory queries built from user input.
  • XSS: HTML or JavaScript injected into pages via unsanitized output.
  • ORM injection: parameterized libraries used incorrectly, or raw queries bypassing the ORM's safety layer.

CWE guides Deva ships for A05

What Deva detects

Deva tracks data flow from request inputs through query builders, shell invocations, dynamic code paths, and template engines to identify cases where untrusted data reaches a sensitive sink without parameterization or sanitization. The rule pack covers language-specific patterns for Sequelize, Knex, Prisma raw, sqlx, pg, mysql2, psycopg2, SQLAlchemy text(), Django raw(), Active Record connection.execute(), JDBC PreparedStatement misuse, child_process variants in Node, subprocess in Python, Runtime.exec in Java, and JavaScript and Python eval surfaces.

Real-world breaches in this category

2008

Heartland Payment Systems (130M records)

SQL injection in a public-facing web form gave attackers a foothold that they expanded into the payment processing network. At the time it was the largest disclosed payment-card breach in US history.

2017

Apache Struts CVE-2017-5638 (multiple victims)

An expression-language injection vulnerability in Apache Struts allowed remote code execution. Equifax, Canadian government agencies, and others were compromised through the same flaw before patches were applied.

Compliance impact

  • ·NIST 800-53 SI-10 Information Input Validation
  • ·PCI-DSS v4.0 Req 6.2.4 Software engineering techniques
  • ·HIPAA 164.312(c)(1) Integrity controls
  • ·CMMC 2.0 SI.L2-3.14.1 Flaw remediation
A06High

Insecure Design

Architectural decisions that create vulnerabilities no amount of clean implementation can fix.

What it is

Insecure Design moves from A04:2021 to A06:2025. It covers vulnerabilities that are baked into the system before any line of code is written: business logic flaws (rate limits that are not enforced, password reset flows that allow account takeover by design, file upload features that cannot be safely implemented), missing threat modeling, and reliance on user-supplied trust labels. Unlike injection or auth bugs, insecure design issues persist through code-level fixes because the design itself is the vulnerability.

Common patterns

  • File upload features without a viable threat model (allowed types, storage location, serving behavior).
  • Password reset flows that confirm reset based on knowledge of public information.
  • Rate limits enforced client-side, or applied per IP rather than per identity, or absent entirely.
  • Multi-tenant architectures that scope by request parameter rather than by the authenticated identity.
  • Privileged operations that rely on the absence of a UI link to remain undiscovered ('security by obscurity').
  • Workflows that assume an out-of-band step has occurred when it has not been verified.

CWE guides Deva ships for A06

What Deva detects

Insecure design is partly architectural and not fully detectable by code-level static analysis. Deva surfaces structural smells (file uploads without extension allowlists, missing rate limits on auth endpoints, absent CSRF tokens on state-changing routes) but cannot replace threat modeling. The Custom Compliance Framework Builder lets teams encode their own design rules (for example: every payment route must touch the audit log) so design intent is enforced at scan time.

Real-world breaches in this category

2019

Twitter SMS-based 2FA design

Twitter's design tied 2FA to phone numbers in a way that could be hijacked via SIM-swap attacks. The flaw was structural: any system that uses SMS as a second factor inherits SIM-swap risk. The design has since been deprecated industry-wide for high-value accounts.

2017

Equifax web portal credentials

An internal portal used 'admin' as both the username and password, an insecure-design pattern that bypassed any code-level authentication strength. Code review did not catch this because the choice was a configuration decision.

Compliance impact

  • ·NIST 800-53 SA-8 Security Engineering Principles, SA-11 Developer Security Testing
  • ·PCI-DSS v4.0 Req 6.2 Secure software development
  • ·CMMC 2.0 SA.L2-3.1.20 External system protections
A07Critical

Authentication Failures

Weak, missing, or improperly implemented authentication.

What it is

Authentication Failures (renamed in 2025 from Identification and Authentication Failures, retaining the A07 slot) covers any failure to correctly verify the identity of an entity interacting with the application. Manifestations include missing authentication on critical functions, brute-forceable login flows, weak password policies, predictable session identifiers, JWT validation that decodes but does not verify, and credential stuffing surface area without monitoring. Authentication failures are the foundational weakness behind most disclosed account takeovers and an explicit control area in HIPAA, PCI-DSS, and CMMC.

Common patterns

  • Routes with no authentication middleware on sensitive paths (/admin, /internal, /debug).
  • JWT verification calls with verify:false, missing signing key, or accepting 'alg':'none'.
  • Login flows without rate limiting, account lockout, or CAPTCHA on repeated failures.
  • Password requirements that allow trivially-crackable choices ('a' or '12345').
  • Hardcoded API keys, DB passwords, or signing secrets in source.
  • Session IDs generated from predictable sources (timestamps, weak PRNG, sequential counters).

CWE guides Deva ships for A07

What Deva detects

Deva flags routes whose path suggests sensitivity (admin, internal, debug, dashboard) and that lack any authentication middleware in their chain. The scanner detects JWT.verify with verify:false, signing-key references that resolve to literal short strings, password comparison without constant-time helpers, and session ID generation using Math.random or other weak sources. Hardcoded credential detectors run continuously in the IDE and as a CI step.

Real-world breaches in this category

2021

Colonial Pipeline ransomware

Initial access was a leaked legacy VPN password reused from another breach. The VPN account remained active despite being unused, and 2FA was not enforced on it. The ransom payment was ultimately around 4.4 million USD.

2020

SolarWinds Orion supply chain attack

Attackers planted credentials in the build pipeline through which Orion updates were signed. Although the proximate cause was build-system compromise, the broader weakness was that build-system access was not subject to phishing-resistant authentication.

Compliance impact

  • ·NIST 800-53 IA-2 Identification and Authentication
  • ·PCI-DSS v4.0 Req 8.3 Strong authentication, Req 8.4 Multi-factor authentication
  • ·HIPAA 164.312(d) Person or Entity Authentication, 164.308(a)(5) Security Awareness Training
  • ·CMMC 2.0 IA.L2-3.5.1 Identify users
A08High

Software or Data Integrity Failures

Code or data accepted from untrusted sources without integrity verification.

What it is

Software or Data Integrity Failures retains its position at A08 in 2025. It covers any path by which untrusted code or data flows into a trust boundary without verification. Examples include insecure deserialization (where an attacker-controlled byte stream is reconstructed into application objects), CI/CD pipelines that trust unauthenticated artifact sources, auto-update mechanisms that fetch updates over insecure channels, and dependencies installed from registries without integrity hashes. The category overlaps with A03:2025 Software Supply Chain Failures but focuses specifically on the integrity-verification gap rather than the broader supply-chain context.

Common patterns

  • Python pickle.load on data from HTTP requests, message queues, or cache backends.
  • Java ObjectInputStream.readObject on data from network sources (gadget-chain RCE).
  • .NET BinaryFormatter on attacker-controlled bytes.
  • PHP unserialize on cookie or query-string values.
  • CI/CD steps that fetch scripts from URLs without hash pinning or signature verification.
  • Package installations without lockfile or integrity-hash verification.

CWE guides Deva ships for A08

What Deva detects

Deva flags every call site that deserializes data via a format capable of arbitrary class instantiation (pickle, ObjectInputStream, BinaryFormatter, NetDataContractSerializer, PHP unserialize, Ruby Marshal, YAML.load without SafeLoader). Findings include the upstream data source and a suggested format alternative (JSON, MessagePack, Protobuf) that does not deserialize into application objects.

Real-world breaches in this category

2020

SolarWinds Orion (multiple victims)

Attackers gained access to SolarWinds' build pipeline and injected malicious code into Orion update packages. The packages were signed with SolarWinds' legitimate signing key and distributed through the normal update channel. Thousands of organizations including US federal agencies installed the trojaned updates.

2015

Apache Commons Collections deserialization

Discovery of gadget chains in widely-used Java libraries (Apache Commons Collections, Spring AOP) enabled reliable remote code execution against any application that deserialized Java objects from network sources. The class of exploit affected JBoss, WebSphere, WebLogic, and Jenkins among many other Java applications.

Compliance impact

  • ·NIST 800-53 SI-7 Software, Firmware, and Information Integrity
  • ·PCI-DSS v4.0 Req 6.5.5 Improper error handling and data integrity
  • ·CMMC 2.0 SI.L2-3.14.1 Flaw remediation, SI.L2-3.14.4 Update protections
A09Medium

Security Logging and Alerting Failures

Attacks succeed undetected because the application does not log enough, or no alert is raised when something is logged.

What it is

Security Logging and Alerting Failures retains A09 in 2025, with a name change from 'Logging and Monitoring' to emphasize the alerting function needed to induce action on relevant logging events. The category covers gaps in the observability stack that let an attack progress undetected: missing logs on auth events, logs that are written but never reviewed, log storage that the attacker can also reach, log formats that lose attribution detail (no user ID, no source IP), and detection rules that exist but are not tuned. OWASP relevant CWEs include CWE-117 (Improper Output Encoding for Logs), CWE-532 (Inserting Sensitive Data into Log Files), and CWE-778 (Insufficient Logging).

Common patterns

  • Authentication and authorization decisions logged at INFO without source IP, user ID, or correlation ID.
  • Failed login attempts not logged at all, or logged without enough metadata to detect credential stuffing.
  • Privilege changes, role assignments, or permission grants not audit-logged.
  • Application logs stored in the same blast radius as the application (attacker who compromises the app also tampers with the logs).
  • Log retention shorter than the typical breach dwell time.
  • Alerts wired to channels (email, low-priority Slack) that are not acted on.

What Deva detects

Deva includes a configurable rule pack that flags state-changing operations (privilege changes, financial transactions, permission grants, data exports) where no audit-log write is present in the same function. The rule is intentionally tunable: not every state change needs an audit log, but most regulated operations do. The compliance frameworks for HIPAA, PCI-DSS, and SOX all impose specific logging requirements that this rule pack maps to.

Real-world breaches in this category

2013

Target (40M payment cards)

The intrusion was detected by Target's FireEye sensors and reported into a malware management console. The alerts were not acted on for two weeks while attackers exfiltrated payment data. The technical detection succeeded; the operational response failed.

2023

MOVEit Transfer (CL0P campaign)

CL0P exploited a zero-day in MOVEit Transfer (CVE-2023-34362) and exfiltrated data from hundreds of organizations. Many victims discovered the breach weeks later via extortion notices because logging in MOVEit did not surface the anomalous SQL injection patterns the campaign used.

Compliance impact

  • ·NIST 800-53 AU-2 Event Logging, AU-12 Audit Record Generation
  • ·PCI-DSS v4.0 Req 10 Logging and monitoring
  • ·HIPAA 164.312(b) Audit Controls
  • ·SOX Section 404 (audit trail integrity)
  • ·CMMC 2.0 AU.L2-3.3.1 Audit logs, AU.L2-3.3.5 Audit correlation
A10Medium

Mishandling of Exceptional Conditions

Programs that fail to prevent, detect, and respond to unusual situations, leading to crashes, unexpected behavior, and vulnerabilities.

What it is

Mishandling of Exceptional Conditions is new to A10:2025, replacing Server-Side Request Forgery (which dropped off the list and is now consolidated under A01:2025 Broken Access Control). The category covers improper error handling, logical errors, failing open, and other scenarios stemming from abnormal conditions that systems may encounter. It consolidates CWEs previously associated with 'poor code quality' into a more actionable category. OWASP's notable CWEs for this category: CWE-209 (Generation of Error Message Containing Sensitive Information), CWE-234 (Failure to Handle Missing Parameter), CWE-274 (Improper Handling of Insufficient Privileges), CWE-476 (NULL Pointer Dereference), and CWE-636 (Not Failing Securely / 'Failing Open').

Common patterns

  • Error handlers that catch exceptions broadly and then ignore them, allowing the application to continue in an undefined state.
  • Failing open: when an authentication or authorization check throws, the request is allowed through instead of rejected.
  • Stack traces or full exception details returned to the client, exposing internal paths, schema, and library versions.
  • Missing input validation that lets unexpected types or formats reach downstream logic.
  • NULL pointer dereferences in languages where checks would prevent crashes (Java, C, C++, Go without proper guards).
  • Transactions that partially complete and are not rolled back when an exceptional condition interrupts them.
  • Race conditions where unexpected timing causes inconsistent state.

What Deva detects

Deva's rule pack flags catch blocks that swallow exceptions without logging or rethrowing, authentication or authorization middleware that does not fail closed on errors, and response handlers that include exception details in production responses. Transaction rollback patterns are checked across database and message-queue boundaries. NULL-check rules apply per language (e.g., kotlin nullable types, Java Optional patterns, Go nil checks before dereference).

Real-world breaches in this category

2024

CrowdStrike Falcon update (July 2024)

A bad configuration update to the CrowdStrike Falcon sensor triggered a NULL pointer dereference in the kernel driver, causing roughly 8.5 million Windows systems worldwide to blue-screen. The incident demonstrated how mishandling of an exceptional condition (malformed config) at the kernel level can cascade into a global outage. Estimated direct cost exceeded 5 billion USD.

2020

Cloudflare HTTP/2 outage

A regex performance pathology combined with insufficient timeout handling caused widespread Cloudflare-served sites to return 500 errors. The exceptional condition (catastrophic backtracking) was not handled with appropriate circuit-breaker logic at the edge.

Compliance impact

  • ·NIST 800-53 SI-11 Error Handling, SI-10 Information Input Validation
  • ·PCI-DSS v4.0 Req 6.5.5 Improper error handling and data integrity
  • ·CMMC 2.0 SI.L2-3.14.1 Flaw remediation
  • ·NIST SSDF PW.8 (secure error handling in development practices)

What changed in 2025: The published OWASP Top 10:2025 differs in important ways from the public-review draft. SSRF (A10:2021) dropped off the list entirely (its CWE-918 is now consolidated under A01 Broken Access Control). The new A10 is Mishandling of Exceptional Conditions, replacing the LLM category that some drafts speculated about. Software Supply Chain Failures (formerly A06:2021 Vulnerable Components) was renamed, expanded in scope, and elevated to A03. Security Misconfiguration moved to A02. Authentication Failures keeps A07 with a shorter name.

Citation note: OWASP Top 10 category descriptions and rankings are maintained by the OWASP Foundation under Creative Commons licensing. Sourced from owasp.org/Top10/2025. The breach summaries and Deva-specific detection details on this page are written by the Deva Security Team. Direct-link to any category via /owasp#a01-broken-access-control.