OWASP_LLM_TOP10LLM10:2025voice-validated
OWASP_LLM_TOP10 LLM10: LLM10:2025
OWASP_LLM_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Unbounded consumption refers to model invocations that consume excessive resources — compute, memory, tokens, or external API quota — leading to denial of service, denial of wallet, or cascading failures. Includes lack of rate limiting on LLM endpoints, unbounded streaming response loops, unmonitored long-context costs, and recursive tool-call patterns in agentic systems.
ATT&CK techniques this article tests · 0
| Technique | Why it maps | Confidence |
|---|
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1035 | Implement strict rate limiting on LLM endpoints and API quotas per user or application to prevent unbounded consumption. This directly controls resource usage. | 95% |
| M1031 | Deploy network intrusion prevention systems to detect and block high-volume or suspicious traffic patterns indicative of DoS attacks against LLM services. | 90% |
| M1047 | Implement comprehensive logging and monitoring of LLM resource consumption, API calls, and response lengths to detect anomalous usage patterns promptly. | 85% |
| M1017 | Enforce strong authentication and authorization for LLM access, ensuring only authorized users can invoke the model and preventing account compromise for abuse. | 80% |
| M1040 | Restrict the permissions of the LLM service and its underlying infrastructure to the minimum necessary, limiting potential damage from resource exhaustion. | 75% |
| M1049 | Regularly scan LLM applications and their dependencies for vulnerabilities that could be exploited to trigger unbounded resource consumption or DoS. | 70% |
| M1038 | Isolate LLM services within segmented network zones to contain the impact of a resource exhaustion attack and prevent cascading failures across the infrastructure. | 65% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-400 | The core weakness is the lack of controls on compute, memory, or token usage, allowing attackers to exhaust system resources. | 95% |
| CWE-770 | Absence of rate limiting on LLM endpoints or insufficient throttling mechanisms directly enables unbounded consumption attacks. | 90% |
| CWE-20 | Maliciously crafted prompts or API requests, if not properly validated, can trigger resource-intensive operations or infinite loops within the LLM. | 85% |
| CWE-789 | LLM operations, especially with long contexts or complex outputs, can consume excessive memory if not properly managed, leading to system instability. | 80% |
| CWE-835 | Recursive tool calls or unbounded streaming responses can create infinite loops, consuming CPU and memory until the system fails. | 75% |
| CWE-284 | Insufficient authorization allows unauthorized users or systems to invoke resource-intensive LLM functions, leading to abuse and denial of service. | 70% |
| CWE-307 | This weakness extends to any API endpoint lacking rate limits, allowing attackers to flood the LLM with requests, not just authentication attempts. | 65% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0176 compute · voice-rubric self-validated