.png)
7 hours ago
1
A security flaw in the Oat++ implementation of Anthropic's Model Context Protocol (MCP) allows attackers to predict or capture session IDs from active AI conversations, hijack MCP sessions, and inject malicious responses via the oatpp-mcp server.
Oat++ is an open source, C++ web framework for building web applications, and MCP is the Anthropic-developed standard for connecting AI agents with data sources. oatpp-mcp is the Oat++ framework's MCP integration that allows developers to expose application endpoints as MCP-compatible interfaces.
The vulnerability, tracked as CVE-2025-6515, can be exploited to hijack MCP session IDs.
These IDs determine where the MCP server sends its responses. To secure each session, the protocol requires session IDs to be globally unique and randomly generated to ensure miscreants can't simply guess or predict them. This is intended to prevent attackers from hijacking sessions and injecting harmful comments into the MCP server to then be processed by an AI agent.
As JFrog security researchers discovered, however, some oatpp-mcp servers reuse session IDs. The Oat++ MCP implementation supports two transport methods, STDIO and Server-Sent Events (SSE), and the vulnerability exists because the MCP SSE endpoint in oatpp-mcp returns an instance pointer as the session ID - meaning it's neither unique nor cryptographically secure.
It's also worth noting that this attack requires that oatpp-mcp is executed with the HTTP SSE transport, and that the attacker has network access to the relevant HTTP server.
"An attacker can exploit this behavior by rapidly creating and destroying sessions, logging the session IDs and then waiting for those same IDs to be reassigned to legitimate client sessions," JFrog researchers Ori Hollander and Ofri Ouzan said in a Tuesday blog.
"Once a session ID is reused, the attacker can send POST requests using the hijacked ID, for example – Requesting tools, triggering prompts, or injecting commands, and the server will forward the relevant responses to the victim's active GET connection in addition to the responses generated for the victim's original requests," they wrote.
Neither Anthropic nor the Oat++ project maintainers immediately responded to The Register's inquiries. We will update this story if and when they do.
- AI-powered penetration tool, an attacker's dream, downloaded 10K times in 2 months
- Crims laud Claude to plant ransomware and fake IT expertise
- Anthropic brings mad Skills to Claude
- Anthropic won't fix a bug in its SQLite MCP server
In addition to the technical details, the JFrog bug hunters also demonstrated how to exploit CVE-2025-6515 by running a test server programmed to return Python package names and connecting a Claude client to it.
The theoretical user/victim in this example asks Claude to "find a package for image processing." The attacker, who has sprayed the server with requests containing previously used session IDs until getting a match, directs the server to supply a malicious package to the user. Claude then gives the user the attacker's response instead of the legitimate response to the user's request.
"As AI models become increasingly embedded in workflows via protocols like MCP, they inherit new risks – this session-level exploit shows how the model itself remains untouched while the ecosystem around it is compromised," the researchers wrote.
To prevent this type of prompt hijacking attack due to leaky session IDs, make sure servers use cryptographically secure random number generators.
JFrog also recommends clients avoid simple incrementing IDs, which are vulnerable to spraying attacks, and ensure transport channels use strong session separation and expiry mechanisms. ®
