What is A10 (OWASP A10:2025 — Mishandling of Exceptional Conditions)?
OWASP Top 10 (2025) item #10 — a new addition. Covers improper error and exception handling that leads to unpredictable or insecure behavior, including improper input validation, incomplete error recovery, and inconsistent exception handling. 24 CWEs map into this category.
Full explanation
A10:2025 is a new entry in the 2025 list, replacing 2021's 'Server-Side Request Forgery' (which moved into the broader injection category). It catches a long tail of bugs where the application fails *unsafely* — defaulting to allow on auth check timeout, leaking stack traces with secrets, failing open on a rate-limit error, retrying a destructive operation after a partial failure. Common in AI-generated code because LLMs often write happy-path logic without thinking through the failure modes. CWEs in scope include CWE-209 (info exposure through error messages), CWE-754 (improper check of unusual conditions), CWE-755 (improper handling of exceptional conditions).
Example
An auth-checking middleware throws if the JWT verification service is unreachable. The catch block logs the error and `next()`s the request through to the protected route — fail-open behavior the developer didn't notice. Attackers DoS the JWT service to bypass auth. The fail-closed version would `return 503` on any verification error.
Related
FAQ
How is this different from broken access control (A01)?
A01 is the systemic class. A10 is specifically about the failure-mode behavior — what your code does when something unexpected happens. A bug can sit in both categories at once if a botched exception handler silently downgrades an authz check.
How do I find these in my code?
Search for try/catch where the catch path doesn't preserve the security posture (e.g., catches and logs but continues, swallows and returns default-allow, retries destructive operations). LLM-generated code is especially prone — review every AI-suggested catch block.