TLDR: A critical security vulnerability (CVE-2025-6515) has been identified in the Oat++ implementation of Anthropic’s Model Context Protocol (MCP). This flaw allows attackers to predict or capture session IDs, enabling them to hijack active AI conversations, inject malicious responses, and potentially manipulate AI agents by directing them to supply harmful packages or execute unintended commands. The vulnerability stems from the reuse of session IDs and the use of instance pointers as session identifiers, compromising the intended cryptographic security of the protocol.
A significant security vulnerability, tracked as CVE-2025-6515, has been uncovered in the Oat++ implementation of Anthropic’s Model Context Protocol (MCP), posing a risk of session hijacking for AI agents. The flaw, detailed by JFrog security researchers Ori Hollander and Ofri Ouzan, allows malicious actors to predict or capture session IDs from active AI conversations, subsequently injecting harmful responses via the oatpp-mcp server.
Oat++ is an open-source C++ web framework widely used for building web applications. Anthropic’s MCP, on the other hand, is a standard designed to facilitate the connection of AI agents with various data sources. The oatpp-mcp component serves as the Oat++ framework’s integration for MCP, allowing developers to expose application endpoints as MCP-compatible interfaces.
The core of the vulnerability lies in the handling of session IDs. The MCP protocol mandates that session IDs be globally unique and cryptographically random to prevent prediction or guessing by attackers. This measure is crucial for preventing the hijacking of sessions and the injection of malicious commands into the MCP server, which would then be processed by an AI agent. However, JFrog researchers discovered that some oatpp-mcp servers fail to adhere to this standard, reusing session IDs.
Specifically, the vulnerability arises because the MCP Server-Sent Events (SSE) endpoint within oatpp-mcp returns an instance pointer as the session ID. This practice renders the session ID neither unique nor cryptographically secure, making it susceptible to exploitation. For an attack to be successful, oatpp-mcp must be executed with the HTTP SSE transport, and the attacker must have network access to the relevant HTTP server.
JFrog researchers explained the attack mechanism: “An attacker can exploit this behavior by rapidly creating and destroying sessions, logging the session IDs and then waiting for those same IDs to be reassigned to legitimate client sessions.” Once a session ID is reused and hijacked, the attacker gains the ability to send POST requests using that ID. This allows them to, for instance, request tools, trigger prompts, or inject commands. The compromised server would then forward these attacker-generated responses to the victim’s active GET connection, alongside any legitimate responses.
To illustrate the potential impact, the JFrog bug hunters demonstrated an exploit scenario. They ran a test server configured to return Python package names and connected a Claude client to it. In this example, a theoretical user asks Claude to “find a package for image processing.” The attacker, having previously sprayed the server with requests to log and match session IDs, then directs the server to supply a malicious package to the user. Consequently, Claude presents the attacker’s harmful response to the user instead of the legitimate one.
Hollander and Ouzan emphasized the broader implications of such vulnerabilities in the evolving AI landscape: “As AI models become increasingly embedded in workflows via protocols like MCP, they inherit new risks – this session-level exploit shows how the model itself remains untouched while the ecosystem around it is compromised.” This highlights that even if the AI model itself is secure, the surrounding infrastructure and protocols can introduce critical vulnerabilities.
Also Read:
- Uncovering Security Flaws in the AI Model Context Protocol Ecosystem
- Unmasking a Hidden Threat: How LLM Memory Caches Can Be Corrupted
To mitigate these risks and prevent prompt hijacking attacks stemming from leaky session IDs, JFrog recommends that developers ensure their servers utilize cryptographically secure random number generators for session IDs. Furthermore, clients should avoid simple incrementing IDs, which are vulnerable to spraying attacks, and implement strong session separation and expiry mechanisms across all transport channels. As of the report, neither Anthropic nor the Oat++ project maintainers had immediately responded to inquiries regarding the vulnerability.
