Every four years, the Open Web Application Security Project (OWASP) publishes a top ten list of the most critical security risks that web applications are prone to. This list was last published in 2021, marking 2025 as the year for an update. OWASP utilizes a plethora of data from trusted organization vendors, bug bounty programs, and internal data contributed by organizations to determine the list. In this blog, we will take a look at CVE data from 2021 through 2024 to make a rough estimation of what the OWASP top 10 2025 list will look like.
Why CVE Data?
The data submitted by organizations for the top 10 list has grown significantly each time around, with over 500k applications submitted in the 2021 call for data. Since it is impossible to know the massive data set that OWASP is working from, we will use open-source data such as CVEs to help make our predictions data-driven. CVE data records can be queried from Mitre at https://cveawg.mitre.org/api/cve/<CVE-ID>. This API data includes a CWE (Common Weakness Enumeration) mapping, if applicable, which will drastically help in data analysis. Luckily, the CVEProject Github repository pulls this data from Mitre every hour, so we don’t have to scrape it through API requests.
Data Collection
Python was utilized to extract CWE and CVSS base score metrics from the CVE data. Let’s break down the different components of the code written for data collection and analysis.
To start out, a function called “get_owasp_2021_cwes” was defined that returns a dictionary containing the OWASP top 10 2021 mappings with their applicable CWE mappings. This will help us map the 2021-2024 CVE data to 2021’s OWASP top 10, as many of these categories will likely be reused in 2025’s top 10.
In the repository, a directory exists called “cvelist” which includes the 2021-2024 CVE data directly pulled from CVEProject. Essentially, the code iterates through every file in that directory and extracts the CWE and base score data using regex. The information gathered is put into the following JSON data structure for data collection to make the analysis process seamless.
{
'CWE-ID': {
'OWASP 2021 Mapping': String,
'count': int,
'baseScoreTotal': float,
'baseScoreCount': int,
'baseScoreAverage': float
}
}
This data structure is a dictionary of dictionaries. The top-level dictionary key is a specific CWE and the value of that key is a dictionary with various data metrics collected on the CWE from the CVE data.
The collected metrics are as follows:
- OWASP 2021 Mapping – If the CWE is mapped to an OWASP top 10 2021 category, that category will be defined here.
- count – The number of times the CWE was identified across all CVEs.
- baseScoreTotal – The total value of all the base scores with this CWE combined.
- baseScoreCount – The count of the number of base score values retrieved.
- baseScoreAverage – The value of baseScoreTotal divided by baseScoreCount to get the average base score rating for the CWE category.
For example, here’s the data gathered for the category with the most CVEs, CWE-79 (cross-site scripting):
{
'CWE-79': {
'OWASP 2021 Mapping': 'a03_injection',
'count': 19723,
'baseScoreTotal': 101081.01999999625,
'baseScoreCount': 16958,
'baseScoreAverage': 5.96
}
}
The results from our data collection phase do indeed differ from one key component of OWASP’s data collection process. OWASP uses an incident rate approach rather than incident frequency. This means that if ten cross-site scripting vulnerabilities are discovered in a single application, they are only counted once in the data rather than ten times. OWASP prefers to know how many applications had a particular issue rather than if the issue was systemic. This makes our results inherently flawed because this data point was not accounted for in the data collection phase. However, for that reason, we will adjust some predictions where it makes sense.
Data Analysis
Mapping CVEs to the OWASP 2021 List
The first portion of the data analysis phase consisted of mapping which CVEs were directly tied back to a CWE within the OWASP top 10 2021 list. Since many categories will most likely remain the same from the 2021 list, this can help us estimate proper placement in the new list.
As you can see, injection and broken access control beat out all the other categories by a long shot. Here’s a breakdown of the results:
- A01:2021 Broken Access Control – 21,218
- A02:2021 Cryptographic Failures – 1,566
- A03:2021 Injection – 35,561
- A04:2021 Insecure Design – 5,161
- A05:2021 Security Misconfiguration – 598
- A06:2021 Vulnerable and Outdated Components – 14
- A07:2021 Identification and Authentication Failures – 4,291
- A08:2021 Software and Data Integrity Failures – 1,873
- A09:2021 Security Logging and Monitoring Failures – 658
- A10:2021 SSRF – 986
Common CWEs not Included in OWASP 2021
Next, let’s take a look at the top 50 CWEs with the most CVEs and see if any don’t fall into the OWASP top 10 2021 categories.
These results are very interesting, considering that the top six CWEs identified that did not fall into categories from the 2021 top 10 all relate to memory-related vulnerabilities. This is especially interesting because in 2021 OWASP defined three additional categories called A11:2021 that were just on the cusp of making the top 10 list. These categories include code quality issues, denial of service, and memory management errors.
The CWEs that made the graph are further defined below:
- CWE-125: Out-of-bounds Read
- CWE-787: Out-of-bounds Write
- CWE-416: Use After Free
- CWE-121: Stack-based Buffer Overflow
- CWE-122: Heap-based Buffer Overflow
- CWE-120: Buffer Copy without Checking Size of Input
- CWE-400: Uncontrolled Resource Consumption
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-476: Null Pointer Dereference
- CWE-190: Integer Overflow or Wraparound
- CWE-770: Allocation of Resources Without Limits or Throttling
- CWE-427: Uncontrolled Search Path Element
- CWE-126: Buffer Over-read
- CWE-732: Incorrect Permission Assignment for Critical Resource
- CWE-404: Improper Resource Shutdown or Release
This is certainly interesting data that was not expected.
As you can see, several of these fit directly into the “memory management errors” category. A few on this list would also fit nicely into the “denial of service” category.
Taking a look at the same data point but in the 2017-2020 data yields the following results:
The CWEs that made the 2017 data are as follows:
- CWE-121: Stack-based Buffer Overflow
- CWE-416: Use After Free
- CWE-125: Out-of-bounds Read
- CWE-400: Uncontrolled Resource Consumption
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-787: Out-of-bounds Write
- CWE-122: Heap-based Buffer Overflow
- CWE-399: Resource Management Errors
- CWE-476: Null Pointer Dereference
- CWE-190: Integer Overflow or Wraparound
- CWE-120: Buffer Copy without Checking Size of Input
- CWE-843: Access of Resource Using Incompatible Type (‘Type Confusion’)
- CWE-427: Uncontrolled Search Path Element
- CWE-732: Incorrect Permission Assignment for Critical Resource
- CWE-129: Improper Validation of Array Index
- CWE-693: Protection Mechanism Failure
- CWE-754: Improper Check for Unusual or Exceptional Condition
The bolded entries above are the only CWEs that did not make the list again in the 2021-2024 data. As you can see, several of the CWEs were the same between both OWASP top 10 data cycles, so it seems unlikely that memory management errors will end up making the 2025 top 10 list, despite their common occurrence.
OWASP 2021 Categories CVSS Score Average
Let’s repeat the same analysis, but rather than using the number of CWE occurrences, we will calculate the CVSS base score averages.
Mapping the CWEs to the 2021 top 10 and calculating the CVSS base score averages of those CWEs yields the following results:
These are all relatively close and most likely won’t have too much impact on our prediction.
Now let’s take a look at CWEs with high base score averages that don’t tie back to a top 10 2021 category.
The majority of CWEs with the highest base score averages had less than 10 occurrences, so we will ignore those. This leaves the following, which still do not have a significant amount of occurrences:
- CWE-1393: Use of Default Password – 17 Occurrences
- CWE-1357: Reliance on InsufficientlyTrustworthy Component – 48 Occurrences
- CWE-29: Path Traversal ‘\..\filename’ – 74 Occurrences
- CWE-453: Insecure Default Variable Initialization – 21 Occurrences
This data is not all that interesting due to the small amount of occurrences.
OWASP Top Ten 2025 Predictions
Now, let’s make some final predictions using the data analysis and personal observations/opinions.
- A01:2025 – Broken Access Control
- A02:2025 – Injection
- A03:2025 – Insecure Design (Combined with Security Logging and Monitoring Failures)
- A04:2025 – Identification and Authentication Failures
- A05:2025 – Cryptographic Failures
- A06:2025 – Security Misconfiguration
- A07:2025 – Vulnerable and Outdated Components
- A08:2025 – Software and Data Integrity Failures
- ?
- ?
A01-A02
- A01:2025 – Broken Access Control
- A02:2025 – Injection
In my opinion, the top two categories will be the long-reigning broken access control and injection. The CVE data gathered supports this, and these two are by far the most common issues I see in nearly every web app engagement.
A03
- A03:2025 – Insecure Design (Combined with Security Logging and Monitoring Failures)
Although the “Identification and Authentication Failures” category probably edges this one out based on frequency and overall CVSS score data, my prediction is that the “Security Logging and Monitoring Failures” category will be pushed into the “Insecure Design” category. There are currently only four CWEs mapped to “Security Logging and Monitoring Failures,” and based on OWASP moving more and more towards abstracted categories, I can definitely see these two categories being combined.
A04
- A04:2025 – Identification and Authentication Failures
The “Identification and Authentication Failures” category climbs the list based on frequency and overall CVSS score. It just edges out “Insecure Design” in my book by having the higher CVSS score average.
A05
- A05:2025 – Cryptographic Failures
Based on the data, I think the ‘Cryptographic Failures” category will drop in the rankings a bit. I still see these issues reported on most pentests, but they are usually not top-risk items in most cases.
A06
- A06:2025 – Security Misconfiguration
XXE-related CWEs were added to the “Security Misconfiguration” category back in 2021. Placing that vuln there does not make too much sense to me, but I predict that SSRF will also be combined with another category. OWASP has been leaning into broader and broader categories with each iteration, so I expect this cycle to be no different. It’s tricky to say where SSRF will land as some categories will most likely be renamed and condensed, but it could potentially be combined with the “Security Misconfiguration” category. This also makes sense because both SSRF and XXE fall under the same CWE pillar, “CWE-664: Improper Control of a Resource Through its Lifetime”.
A07-A08
- A07:2025 – Vulnerable and Outdated Components
- A08:2025 – Software and Data Integrity Failures
These two categories were hard to rank as they are not really well represented by CVE data. However, based on personal experience, this is where I rank them currently. These two categories are also very small when it comes to how many CWEs are mapped to them. Therefore, I would also not be surprised if OWASP combines them with another category.
A09-A10
Since the last couple of OWASP cycles, OWASP has conducted an industry survey to determine two of the 10 categories. Since I’m unsure what new categories OWASP proposed in their industry survey, I’ll make some predictions myself.
One potential candidate I could see making this list is Race Conditions/Timing Attacks. Race Conditions are currently represented by CWE-362, which is not included in any of the current OWASP top 10 categories. Security researchers such as James Kettle have continued to push the limits of what can be done with this vuln class over the last couple of years, specifically with his research presented at DEFCON 31 and 32. I have personally seen Race Condition issues on several web app engagements and believe we are currently only scratching the surface of this vulnerability class.
Web Cache Poisoning is also another vuln class that I could see potentially making the list. While I think this one is more unlikely, it is mapped to CWE-436, which is not currently included in a top 10 category. James Kettle/PortSwigger has also released great research on this category.
Conclusion
Predictions can be difficult, especially with a limited data set. However, observing CVE data and mapping to CWEs/OWASP categories revealed some very interesting trends that all made sense based on what I have experienced in the industry over the last several years. With the new top 10 list releasing early this year, we are excited to see if the plethora of data gathered from the industry aligns somewhat with what we observed.
About the Author: Jason Marcello
Jason is a Principal Offensive Security Engineer at TCM Security with a deep passion for all things cybersecurity. Jason has professional experience in the healthcare, banking, and tech industries. He specializes in web application security and is especially passionate about research topics pushing the boundaries of application security. Jason holds a Bachelor of Science in Computing Security from Rochester Institute of Technology. Additionally, Jason holds several industry-recognized certifications such as the OSCP, OSWE, OSEP, OSWA, PWPP, BSCP, CRT, CRTO, etc.
Jason is also a husband, dad of two dogs, and a coffee/espresso aficionado. In his free time, he enjoys hiking, gaming, and playing guitar.
Social Media Links:
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Email List | LinkedIn | YouTube | Twitter | Facebook | Instagram | TikTok
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.