{"id":5508,"date":"2025-10-22T22:02:44","date_gmt":"2025-10-22T22:02:44","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5508"},"modified":"2025-10-22T22:02:44","modified_gmt":"2025-10-22T22:02:44","slug":"prompt-hijacking-puts-mcp-based-ai-workflows-at-risk","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5508","title":{"rendered":"Prompt hijacking puts MCP-based AI workflows at risk"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Model context protocol (MCP) gives IT teams a standardized way to connect large language models (LLMs) to tools and data sources when developing AI-based workflows.<\/p>\n

But security researchers warn that MCP-based AI workflows can be vulnerable to malicious prompt injection attacks if session ID management was implemented insecurely on the MCP servers facilitating the connection.<\/p>\n

\u201cAlthough Session Hijacking is a well-known vulnerability in web applications, Prompt Hijacking is a new spin on this vulnerability and a dangerous attack vector enabled by MCP\u2019s interaction patterns, as seen in MCP servers that generate predictable session IDs,\u201d researchers from security firm JFrog wrote in a new report<\/a>.<\/p>\n

An example of how this issue can impact AI workflows and agents is a recent vulnerability that JFrog found in oatpp-mcp, the MCP implementation for Oat++ (oatpp), a popular framework for developing web applications in C++. Tracked as CVE-2025-6515, the flaw stems from the fact that oatpp-mcp generates guessable session IDs for use in its communication with MCP clients, an issue that other MCP servers might have as well.<\/p>\n

How MCP servers secure communication<\/h2>\n

The Model Context Protocol was developed by AI company Anthropic to allow communication between LLMs and external data sources or applications to improve workflow context. MCP has been widely adopted and is a key component in developing AI agents that automate tasks by leveraging external tools.<\/p>\n

MCP uses a client-server model and supports multiple communication methods. An application or data source that wants to expose its contents or functionality to an LLM does so to its own MCP server, and the AI agent, AI chatbot application, or IDE that is the interface for interacting with an LLM through prompts can pull in context data from MCP servers through an MCP client implementation.<\/p>\n

Let\u2019s say a developer working in an IDE that has their favorite model plugged in tells the model to find the best Python package for a particular task. The model can use the IDE\u2019s MCP client to connect to an MCP server designed to search for the Python Index (PyPI) and return a package name for that query.<\/p>\n

MCP servers and clients support several types of communication, including HTTP with Server-Sent Events (SSE). In this transport mechanism, which is used by oatpp-mcp, the client initiates a connection to the server with a GET request and the server generates and responds with a session ID. Then the client can use that session ID to send POST requests to the endpoints exposed by the MCP server and the server will return the results in JSON format.<\/p>\n

Session IDs must be unique and secure<\/h2>\n

The session IDs are a way for the MCP server to differentiate between simultaneous connections from different clients, which is why it\u2019s important for them to be unique and generated in a cryptographically secure manner \u2014 meaning they can\u2019t be guessed. This is a requirement in the new Streamable HTTP specification of the MCP protocol, but it wasn\u2019t a requirement in the original SSE transport specification, meaning that many MCP servers might not have implemented session ID uniqueness.<\/p>\n

\u201cSince the session ID determines where the server sends its responses, leaking it opens the door to abuse,\u201d JFrog\u2019s researchers warn. \u201cAn attacker that obtains a valid session ID can send malicious requests to the MCP server. These requests are processed by the server as if they came from the legitimate client, and the responses are sent back to the original client session.\u201d<\/p>\n

For oatpp-mcp, the JFrog researchers demonstrated how attackers could open a large number of connections to the MCP server to generate session IDs and then close the connections so those session IDs can be freed and reassigned to legitimate clients. The attackers can then reuse those IDs to trick the server into generating malicious responses to those clients.<\/p>\n

\u201cMCP supports structured requests, including prompts,\u201d the researchers noted. \u201cFor example, a client may request a prompt from the server \u2014 but during that time, an attacker can inject their own malicious prompt. The client will then receive and potentially act on the attacker\u2019s poisoned response instead of its own legitimate response.\u201d<\/p>\n

Mitigations<\/h2>\n

First, MCP server developers must review their implementations and use cryptographically secure random number generators with at least 128 bits of entropy in order to generate unique session IDs that are not reused.<\/p>\n

If servers don\u2019t do this, the MCP client side can use event IDs for its requests to mitigate this issue by only accepting responses with the same event ID. Like with sessions, these event IDs need to be unpredictable. Unfortunately, the researchers found that many MCP clients use incremental event IDs that can be brute-forced.<\/p>\n

\u201cAs AI models become increasingly embedded in workflows via protocols like MCP, they inherit new risks \u2014 this session-level exploit shows how the model itself remains untouched while the ecosystem around it is compromised,\u201d the researchers said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Model context protocol (MCP) gives IT teams a standardized way to connect large language models (LLMs) to tools and data sources when developing AI-based workflows. But security researchers warn that MCP-based AI workflows can be vulnerable to malicious prompt injection attacks if session ID management was implemented insecurely on the MCP servers facilitating the connection. […]<\/p>\n","protected":false},"author":0,"featured_media":5507,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5508","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5508"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5508"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5508\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5507"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5508"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5508"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}