MITRE Shares 2025's Top 25 Most Dangerous Software Weaknesses
Summary:
MITRE has shared this year's top 25 list of the most dangerous software weaknesses behind over 39,000 security vulnerabilities disclosed between June 2024 and June 2025.
The list was released in cooperation with the Homeland Security Systems Engineering and Development Institute (HSSEDI) and the Cybersecurity and Infrastructure Security Agency (CISA), which manage and sponsor the Common Weakness Enumeration (CWE) program.
Software weaknesses can be flaws, bugs, vulnerabilities, or errors found in a software's code, implementation, architecture, or design, and attackers can abuse them to breach systems running the vulnerable software. Successful exploitation allows threat actors to gain control over compromised devices and trigger denial-of-service attacks or access sensitive data.
To create this year's ranking, MITRE scored each weakness based on its severity and frequency after analyzing 39,080 CVE Records for vulnerabilities reported between June 1, 2024, and June 1, 2025.
While Cross-Site Scripting (CWE-79) still retains its spot at the top of the Top 25, there were many changes in rankings from last year's list, including Missing Authorization (CWE-862), Null Pointer Dereference (CWE-476), and Missing Authentication (CWE-306), which were the biggest movers up the list.
The new entries in this year's top-most severe and prevalent weaknesses are Classic Buffer Overflow (CWE-120), Stack-based Buffer Overflow (CWE-121), Heap-based Buffer Overflow (CWE-122), Improper Access Control (CWE-284), Authorization Bypass Through User-Controlled Key (CWE-639), and Allocation of Resources Without Limits or Throttling (CWE-770).
Top 25 Vulnerabilities:
Please find below some mitigations for this year’s top five most dangerous software weaknesses:
https://cwe.mitre.org/top25/archive/2025/2025_methodology.html
MITRE has shared this year's top 25 list of the most dangerous software weaknesses behind over 39,000 security vulnerabilities disclosed between June 2024 and June 2025.
The list was released in cooperation with the Homeland Security Systems Engineering and Development Institute (HSSEDI) and the Cybersecurity and Infrastructure Security Agency (CISA), which manage and sponsor the Common Weakness Enumeration (CWE) program.
Software weaknesses can be flaws, bugs, vulnerabilities, or errors found in a software's code, implementation, architecture, or design, and attackers can abuse them to breach systems running the vulnerable software. Successful exploitation allows threat actors to gain control over compromised devices and trigger denial-of-service attacks or access sensitive data.
To create this year's ranking, MITRE scored each weakness based on its severity and frequency after analyzing 39,080 CVE Records for vulnerabilities reported between June 1, 2024, and June 1, 2025.
While Cross-Site Scripting (CWE-79) still retains its spot at the top of the Top 25, there were many changes in rankings from last year's list, including Missing Authorization (CWE-862), Null Pointer Dereference (CWE-476), and Missing Authentication (CWE-306), which were the biggest movers up the list.
The new entries in this year's top-most severe and prevalent weaknesses are Classic Buffer Overflow (CWE-120), Stack-based Buffer Overflow (CWE-121), Heap-based Buffer Overflow (CWE-122), Improper Access Control (CWE-284), Authorization Bypass Through User-Controlled Key (CWE-639), and Allocation of Resources Without Limits or Throttling (CWE-770).
Top 25 Vulnerabilities:
- CWE-79 - Cross-site Scripting
- CWE-89 - SQL Injection
- CWE-352 - Cross-Site Request Forgery (CSRF)
- CWE-862 - Missing Authorization
- CWE-787 - Out-of-bounds Write
- CWE-22 - Path Traversal
- CWE-416 - Use After Free
- CWE-125 - Out-of-bounds Read
- CWE-78 - OS Command Injection
- CWE-94 - Code Injection
- CWE-120 - Classic Buffer Overflow
- CWE-434 - Unrestricted Upload of File with Dangerous Type
- CWE-476 - NULL Pointer Dereference
- CWE-121 - Stack-based Buffer Overflow
- CWE-502 - Deserialization of Untrusted Data
- CWE-122 - Heap-based Buffer Overflow
- CWE-863 - Incorrect Authorization
- CWE-20 - Improper Input Validation
- CWE-284 - Improper Access Control
- CWE-200 - Exposure of Sensitive Information
- CWE-306 - Missing Authentication for Critical Function
- CWE-918 - Server-Side Request Forgery (SSRF)
- CWE-77 - Command Injection
- CWE-639 - Authorization Bypass via User-Controlled Key
- CWE-770 - Allocation of Resources w/o Limits or Throttling
Please find below some mitigations for this year’s top five most dangerous software weaknesses:
- Cross-site Scripting (XSS)
- Output Encoding: Always encode (HTML encode, URL encode, etc.) all untrusted data before it is sent to the web browser to prevent it from being executed as active content. Use context-aware encoding libraries.
- SQL Injection (SQLi)
- Use Parameterized Queries (Prepared Statements): Never concatenate user input directly into SQL queries. Use prepared statements where user input is passed as parameters, ensuring the input is treated as data, not as executable code.
- Cross-Site Request Forgery (CSRF)
- Use Anti-CSRF Tokens: Implement unique, cryptographically secure, and per-session/per-request tokens that must be included in all state-changing requests (e.g., POST, PUT, DELETE). Validate the token's presence and correctness on the server side.
- Missing Authorization
- Implement Access Control Checks: Enforce an authorization matrix (e.g., Role-Based Access Control, RBAC) on the server side for every request. Ensure that every action (accessing a resource, modifying data, etc.) is preceded by a check to verify the user has the necessary permissions.
- Out-of-bounds Write
- Use Memory-Safe Languages/Functions: Where possible, use memory-safe languages (e.g., Rust, Go, Java, Python). In C/C++, use checked library functions and techniques to validate all buffer sizes before performing write operations (e.g., using strncpy with proper bounds checking instead of strcpy).
https://cwe.mitre.org/top25/archive/2025/2025_methodology.html