Depending on the CVE numbering authorities, the practices for linking vulnerabilities to software weaknesses can vary.
The phenomenon itself is not new. Yet, with the growing number of authorities producing such mappings, its influence on downstream projects becomes increasingly pronounced. Among them is MITRE’s Top 25 CWE.
In the recently published 2025 edition, the American organization emphasizes how potentially “instructive” it could be to study the practices of these authorities. All the more so given what was observed with one of the most prolific ones. Specifically, a tendency to associate CVEs with both low‑level and high‑level CWEs, resulting in an overrepresentation of the latter. For instance, CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), serving as the parent for CWE-89 (SQL Injection), CWE-79 (Cross-Site Scripting), CWE-78 (OS Command Injection), and CWE-94 (Code Injection).
First use of an LLM for the Top 25 CWE
For this edition, the initial dataset comprised 39,080 CVEs published between June 1, 2024 and June 1, 2025.
MITRE collected mappings produced by numbering authorities or added by the CISA after CVE publication. It also took into account downstream mappings by NVD analysts (National Vulnerability Database, administered by NIST).
An automated analysis helped identify mappings likely to be altered, particularly those that were overly abstract or substantially different from previous mappings containing similar keywords.
The mappings flagged for reevaluation concerned 9,468 CVEs (24% of the total), published by 281 authorities.
For the first time, MITRE used an LLM—anchored in the CWE corpus and trained on mappings—to examine this sub‑set. While its suggestions were not always adopted, it seemed to infer potential associations that human analysts would probably have missed due to time or expertise constraints.
Of these 9,468 CVEs, 2,459 indeed received feedback from the numbering authorities. The remainder underwent another round of review. It was there that the practice described above was uncovered.
A normalization that reshuffles the deck, somewhat
Four CWEs that had previously never appeared in the Top 25 make their entrance this year. They can be identified by the “N/A” tag in the table below. These include the classic buffer overflow, stack overflow, heap overflow, and improper access control.
A methodological change contributed to this. Until now, before establishing the ranking (based on CWE frequency and the severity of associated CVEs), the mappings were normalized according to a nomenclature traditionally used by the NVD. This nomenclature covers only 130 CWEs. CVEs that cannot be matched to an entry were, where possible, linked to the nearest parent (ancestor). Otherwise, the mappings were dropped.
For the first time, MITRE used the mappings as they stood, without performing this normalization. It yields, we are told, a “more faithful” image.
This choice has probably also contributed to pushing several CWEs out of the Top 25. This can be seen, for instance, with CWE-269 (improper privilege management), which drops from 15th to 29th place. Without normalization, it would have 219 CVEs associated. With normalization, it would have 633. The same may have occurred for CWE-400 (uncontrolled resource consumption; moving from 24th to 32nd), CWE-798 (use of hard‑coded credentials; from 22nd to 35th), and CWE-119 (improper bounds checking on memory operations; from 20th to 39th).
The 2025 Top 25 Software Weaknesses
| Rank | Identifier | Nature | Evolution 2024-2025 |
| 1 | CWE-79 | XSS (Cross‑Site Scripting; inadequate sanitization of input during page generation) | = |
| 2 | CWE-89 | SQLi (SQL Injection; inadequate neutralization of special characters used in an SQL command) | + 1 |
| 3 | CWE-352 | CSRF (Cross‑Site Request Forgery; a web application does not adequately verify that a request was genuinely intended by its author) | + 1 |
| 4 | CWE-862 | Missing Authorization | + 5 |
| 5 | CWE-787 | Out-of-bounds Write | – 3 |
| 6 | CWE-22 | Directory Traversal | – 1 |
| 7 | CWE-416 | Use After Free | + 1 |
| 8 | CWE-125 | Buffer Overread | – 2 |
| 9 | CWE-78 | OS Command Injection | – 2 |
| 10 | CWE-94 | Code Injection | + 1 |
| 11 | CWE-120 | Classic Buffer Overflow | N/A |
| 12 | CWE-434 | Unrestricted File Upload | – 2 |
| 13 | CWE-476 | NULL Pointer Dereference | + 8 |
| 14 | CWE-121 | Stack Overflow | N/A |
| 15 | CWE-502 | Deserialization of Untrusted Data | + 1 |
| 16 | CWE-122 | Heap Overflow | N/A |
| 17 | CWE-863 | Incorrect Authorization | + 1 |
| 18 | CWE-20 | Improper Input Validation | – 6 |
| 19 | CWE-284 | Improper Access Control | N/A |
| 20 | CWE-200 | Exposure of Sensitive Data to an Unauthorized Actor | – 3 |
| 21 | CWE-306 | Missing Authentication for a Critical Function | + 4 |
| 22 | CWE-918 | SSRF (Server-Side Request Forgery; the web server does not adequately verify that the request is directed to the intended destination) | – 3 |
| 23 | CWE-77 | Command Injection | – 10 |
| 24 | CWE-639 | Authorization Bypass via User-Controlled Key | + 6 |
| 25 | CWE-770 | Resource Allocation Without Limits or Quotas | + 1 |
Last year, the methodology had already evolved. To curb abusive mappings, MITRE gave more weight to numbering authorities to review them. Few responded to the solicitation, leaving potential for upward movement, or even entry, of higher‑level CWEs into the Top 25.
