"The vulnerability, tracked as CVE-2025-6515, can be exploited to hijack MCP session IDs. These IDs determine where the MCP server sends its responses. To secure each session, the protocol requires session IDs to be globally unique and randomly generated to ensure miscreants can't simply guess or predict them. This is intended to prevent attackers from hijacking sessions and injecting harmful comments into the MCP server to then be processed by an AI agent."
"As JFrog security researchers discovered, however, some oatpp-mcp servers reuse session IDs. The Oat++ MCP implementation supports two transport methods, STDIO and Server-Sent Events (SSE), and the vulnerability exists because the MCP SSE endpoint in oatpp-mcp returns an instance pointer as the session ID - meaning it's neither unique nor cryptographically secure. It's also worth noting that this attack requires that oatpp-mcp is executed with the HTTP SSE transport, and that the attacker has network access to the relevant HTTP server."
A security flaw in oatpp-mcp causes Server-Sent Events (SSE) session IDs to be non-unique and predictable because the MCP SSE endpoint returns an instance pointer as the session ID. The protocol requires globally unique, randomly generated session IDs to prevent guessing and session hijacking. When oatpp-mcp reuses session IDs, an attacker with network access to the HTTP SSE transport can rapidly create and destroy sessions, log assigned IDs, and wait for those IDs to be reassigned to legitimate clients. Once an ID is reused, the attacker can send POST requests with the hijacked ID to request tools, trigger prompts, or inject commands into the MCP server.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]