LLM02:2025 - Sensitive Information Disclosure

Sensitive Information Disclosure is the second-highest risk in the OWASP Top 10 for LLM Applications 2025. It encompasses scenarios where private data is exposed through LLM interactions, whether through training data memorization, system prompt leakage, retrieval of access-controlled documents in RAG pipelines, or careless logging of conversations containing sensitive content.

Overview

LLM applications handle sensitive data at multiple layers: system prompts may contain proprietary instructions or credentials, user conversations may include personal information, and RAG pipelines may retrieve confidential documents. When developers fail to enforce proper data boundaries, the LLM becomes a conduit for information leakage. Unlike traditional data exposure where a single endpoint is compromised, LLM-based disclosure can be unpredictable, and the model may surface sensitive data in response to seemingly unrelated queries. Static analysis can catch many of these risks at the code level before they manifest in production, by identifying secrets embedded in prompts, missing output filters, and insecure data handling patterns.

What Radar Detects

• Hardcoded secrets in system prompts or LLM configuration.**API keys, database credentials, authentication tokens, or internal URLs embedded directly in prompt strings or LLM client configuration files.

• PII included in prompt templates.**Email addresses, Social Security numbers, credit card numbers, or other personally identifiable information hardcoded into prompt templates used across user sessions.

• LLM responses returned without output filtering.**Code paths where the raw LLM response is sent directly to the client without scanning for sensitive patterns such as credentials, PII, or internal system details.

• RAG pipelines without access control on document retrieval.**Retrieval-Augmented Generation implementations that query a vector store or document index without verifying that the requesting user is authorized to view the retrieved documents.

• Logging of full LLM conversations.**Application code that writes complete request/response payloads to log files or monitoring systems without redacting sensitive user inputs or model outputs.

• Missing output sanitization.**LLM responses passed to the client or downstream systems without any redaction layer to strip credentials, internal paths, or other sensitive data the model may have generated.

Related CWEs

CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-532 (Insertion of Sensitive Information into Log File), CWE-798 (Use of Hard-coded Credentials).

See the CWE Reference for details.

Overlap with OWASP Top 10 Web

This category relates to A04:2025 Cryptographic Failures (sensitive data exposure through inadequate protection) and A07:2025 Authentication Failures (hardcoded credentials). The LLM context amplifies these risks because the model itself can act as an unintentional data exfiltration channel, surfacing secrets or PII in its generated responses even when the application code does not directly expose them.

Prevention

• Never embed API keys, database credentials, or other secrets in system prompts or LLM configuration. Use a dedicated secret manager and inject values at runtime.
• Implement an output filtering layer that scans LLM responses for sensitive patterns (credit card numbers, SSNs, API key formats, internal hostnames) before returning them to users.
• Enforce access control on RAG document retrieval so that users can only receive content they are authorized to view.
• Sanitize logs to exclude sensitive conversation data. Redact user inputs and model outputs, or use structured logging with explicit field-level filtering.
• Classify data sources used in RAG pipelines by sensitivity level and apply retrieval restrictions accordingly.
• Implement system prompt protection to prevent the model from disclosing its instructions when prompted by users.

Next Steps