Common Weakness Enumeration

2025 CWE Top 25 Key Insights

The “2025 CWE Top 25 Most Dangerous Software Weaknesses” highlights the most severe and prevalent weaknesses behind the 39,080 Common Vulnerabilities and Exposures (CVE™) Records in this year’s dataset. Uncovering the technical root causes of these vulnerabilities serves as a powerful guide for investments, policies, and practices to prevent these vulnerabilities from occurring in the first place.

The CWE Top 25 can help inform:

• Vulnerability Reduction: Drive valuable feedback into the SDLC and architectural planning, helping to eliminate entire classes of defects (e.g., memory safety, injection).
• Cost Savings: Fewer weaknesses introduced during product development means fewer vulnerabilities to manage post-deployment, where it is more expensive and resource intensive.
• Trend Analysis: Insight into vulnerability trends enables organizations to better focus and adapt their security strategies. Organizations that look across the ecosystem can leverage these trends to identify systemic issues and drive collective improvements in software security practices.
• Customer Trust: Transparency in how organizations address these weaknesses shows commitment to product security and not repeating the same mistakes.
• Consumer Awareness: Educate software consumers about dangerous weaknesses and common vulnerabilities, empowering them to make informed decisions when selecting products.

The 2025 CWE Top 25 is a valuable resource for developers and security professionals, as well as a strategic guide for organizations aiming to make informed decisions in software, security, and risk management investments.

Analysis

While CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-Site Scripting’) retains its spot at the top of the Top 25, there were many changes in rankings from last year’s list.

The biggest movers up the list are:

• CWE-862: Missing Authorization, up 5 from #9 to #4
• CWE-476: Null Pointer Dereference, up 8 from #21 to #13
• CWE-306: Missing Authentication, up 4 from #25 to #21

New entries in the Top 25 are:

• CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), at #11 with no previous ranking
• CWE-121: Stack-based Buffer Overflow, at #14 with no previous ranking
• CWE-122: Heap-based Buffer Overflow, at #16 with no previous ranking
• CWE-284: Improper Access Control, at #19 with no previous ranking
• CWE-639: Authorization Bypass Through User-Controlled Key, up 6 from #30 to #24
• CWE-770: Allocation of Resources Without Limits or Throttling, up 1 from #26 to #25

Four CWEs were not ranked in 2024 and earlier because of how previous Top 25 calculations were handled. For more detailed information, see the Methodology page. In short, the 2025 CWE Top 25 used all CWE mappings as provided and reviewed by CNAs, without normalizing them back to View-1003: Weaknesses for Simplified Mapping of Published Vulnerabilities, a simplified collection of 130 weaknesses commonly used by the U.S. National Vulnerability Database (NVD) for their enrichment purposes. As a result, the 2025 CWE Top 25 reflects a more accurate picture of real-world CWE mappings and offers greater insight into the CWE root cause mapping practices of the broader vulnerability management community.

The biggest downward movers are:

• CWE-787: Out-of-Bounds Write, down 3 from #2 to #5
• CWE-20: Improper Input Validation, down 6 from #12 to #18
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, down 3 from #17 to #20
• CWE-918: SSRF, down 3 from #19 to #22
• CWE-77: Command Injection, down 10 from #13 to #23

Entries that fell off the Top 25 are:

• CWE-269: Improper Privilege Management, down 14 from #15 to #29
• CWE-190: Integer Overflow or Wraparound, down 7 from #23 to #30
• CWE-287: Improper Authentication, down 17 from #14 to #31
• CWE-400: Uncontrolled Resource Consumption, down 8 from #24 to #32
• CWE-798: Use of Hard-coded Credentials, down 13 from #22 to #35
• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer, down 19 from #20 to #39

Most of these downward-moving CWEs (except CWE-190 and CWE-918) may have had sharply reduced mappings because, in previous years, mappings to their child CWEs were rolled up to them due to View-1003 normalization. For example, CWE-269 had 219 CVEs in non-normalized data this year, while one of its children (CWE-250) was mapped by 88 CVEs. If all of CWE-269’s children had been normalized to CWE-269, it would have had 633 CVEs this year. This likely would have kept it in the Top 25. Notably, many of these CWEs are more abstract and Discouraged for mapping, which may have led CNAs to use more precise mappings.

Mapping Usage

Every CWE on cwe.mitre.org is annotated with a “mapping usage recommendation” that suggests whether the CWE is recommended for vulnerability root cause mapping given its level of abstraction and actionability. These include Allowed, Allowed-with-Review, Discouraged, and Prohibited.

The CWEs in the 2025 Top 25 received 28,336 total mappings and had the following mapping usage recommendations:

• 17 Allowed – 22,438 maps (79.19% of all Top 25 mappings)
• 5 Allowed-with-Review – 4,363 maps (15.40%)
• 3 Discouraged – 1,535 maps (5.42%)

In contrast, last year’s 2024 Top 25 had the following mapping usage recommendations:

• 15 Allowed – 16,298 maps (82.33% of all Top 25 mappings)
• 4 Allowed-with-Review – 1,481 maps (7.48%)
• 6 Discouraged – 2,017 maps (10.19%)

The decline in mappings to “Discouraged” CWEs suggests a marked improvement in root cause mapping practices, since other prior years have been in the 10% or 11% range. Even using data normalized to View-1003 as in past years, there was still a reduction. This is best illustrated by the removal of two Discouraged CWEs from the Top 25, namely CWE-119 and CWE-400.

The Top 25 Team encourages CVE Numbering Authorities (CNAs) to continue striving for actionable and precise CWE mappings in their CVE Records.

For more information about root cause mapping, see our CVE-to-CWE Root Cause Mapping Guidance.

Abstraction

CWE contains over 900 weaknesses that range from abstract and conceptual to precise and technology- or language-specific. A precise weakness will have a parent weakness that is more abstract, which may also have parent weaknesses, and so on.

There are four types of weakness abstractions, from most abstract to most specific: Pillar, Class, Base, and Variant.

For root cause mapping, CWE recommends that Base and Variant level CWEs should be used whenever possible to ensure providing adequate specificity and actionability. Class level CWEs may be used if there is no accurate Base or Variant level CWE. Pillar level weaknesses are rarely useful for root cause mapping, if ever, with some rare exceptions for unusual or less widely researched weaknesses.

In the 2025 Top 25, the number of mappings based on CWE abstraction were:

• Base: 20,351 maps (71.82%) for 15 unique CWEs
• Class: 3,705 maps (13.08%) for 5 unique CWEs
• Compound: 1,750 maps (6.18%) for 1 unique CWE
• Variant: 2,022 maps (7.14%) for 3 unique CWEs
• Pillar: 508 maps (1.79%) for 1 unique CWE

The 5 classes in 2025’s Top 25 represent a decrease from 2024’s 9 classes. At least part of this decrease is due to the use of raw data, allowing lower-level CWEs to enter the Top 25.

In 2024, the abstraction counts were:

• Base: 14,342 maps (72.45%) for 14 unique CWEs
• Class: 3,498 maps (17.67%) for 9 unique CWEs
• Compound: 1,301 maps (6.57%) for 1 unique CWEs
• Variant: 655 maps (3.31%) for 1 unique CWEs

It should be noted that the “Compound” CWE is for Cross-Site Request Forgery (CSRF) (i.e., CWE-352), which is a composite of multiple weaknesses; CWE-352’s abstraction aligns with that of a Base.

Possible Causes of Rank Shifts

Given the increase in annual CVE Records, there were unsurprisingly higher CVE counts for most CWEs in this year’s dataset analysis. The shift in scoring and the fewer CWE mappings in NVD data in 2024 also contributed to this. For example, the number of CVE Records that mapped to CWE-79 increased by over 3,000 this year, and CWE-89 by almost 1,000.

As more CNAs contribute their own CWE mappings for CVE Records, it is possible that high-volume CNAs might have mapping practices that are different than what has been experienced before. A per-CNA evaluation of mapping practices could be informative, but it was outside the scope of this initial analysis.

The Top 25 team is excited to see more and more CNAs routinely providing CWE mappings at the time of disclosure:

• In the 2024 Top 25 dataset, 53% of CVE Records had a CWE mapping provided by the publishing CNA.
• In the 2025 Top 25 dataset, this metric increased to 67%, an increase of 14% year over year.

The CVE Program publishes regular metrics, including the CVE Numbering Authority (CNA) Enrichment Recognition List, which may be of interest to Top 25 readers.