The MITRE Company has launched an up to date Widespread Weak spot Enumeration (CWE) Prime 25 Most Harmful Software program Weaknesses listing to replicate the newest adjustments within the menace panorama.
Cross-site scripting (XSS) vulnerabilities saved the highest spot within the listing, adopted by SQL injection and cross-site request forgery (CSRF), every up one place from final 12 months.
Lacking authorization landed fourth within the 2025 CWE Prime 25 listing, up 5 positions. Out-of-bounds write positioned fifth, dropping two locations.
The highest 10 additionally consists of path traversal, use-after-free, out-of-bounds learn, OS command injection, and code injection vulnerabilities.
There are six new entries within the Prime 25 this 12 months, together with 4 CWEs that weren’t ranked within the listing’s earlier installments.
These embrace three buffer overflow weaknesses (basic on 11, stack-based on 14, and heap-based on 16), improper entry management on 19, authorization bypass by way of user-controlled key on 24, and allocation of assets with out limits or throttling on 25.
Improper privilege administration, integer overflow or wraparound, improper authentication, uncontrolled useful resource consumption, use of hardcoded credentials, and improper restriction of operations throughout the bounds of a reminiscence buffer dropped from the CWE Prime 25 listing.
These adjustments have been influenced by how earlier Prime 25 calculations have been dealt with and sharply diminished mappings. MITRE has revealed particulars on how the 2025 listing was compiled on the methodology web page.
Based on the US cybersecurity company CISA, the 2025 CWE Prime 25 is supposed to help vulnerability discount, drive value effectivity, enhance buyer and stakeholder belief, and promote buyer consciousness.Commercial. Scroll to proceed studying.
CISA recommends that software program makers overview the listing and incorporate Safe by Design practices in product improvement and that safety groups incorporate the listing into vulnerability administration and utility safety testing.
The Prime 25 listing also needs to be used, alongside Safe by Design pointers, for benchmarking when evaluating distributors, to make sure funding in safe merchandise.
Associated: Two New Net Software Threat Classes Added to OWASP Prime 10
Associated: Prime 25 MCP Vulnerabilities Reveal How AI Brokers Can Be Exploited
Associated: MITRE Updates Listing of Most Widespread {Hardware} Weaknesses
Associated: Google DeepMind Unveils Framework to Exploit AI’s Cyber Weaknesses
