This NEW category in OWASP 2025 covers improper handling of errors, edge cases, and abnormal conditions. When applications fail to anticipate exceptional scenarios, they may crash, expose sensitive information, or enter insecure states.
Previously scattered across other categories, exceptional condition handling has become critical enough to warrant its own focus. Modern applications face:
Microservices, async operations, and distributed systems create more failure points
APIs must handle malformed requests, timeouts, and unexpected inputs gracefully
Exposing internal details in errors
Crashes from missing data
Arithmetic exceeding bounds
Unbounded memory/CPU usage
Concurrent state corruption
Granting access on errors
Built by an OWASP Member • Part of the OWASP Web Security Lab Series