oatpp MCP Session Hijacking Vulnerability

Vulnerability

A vulnerability in the oatpp-mcp component allows network attackers with access to the oatpp-mcp server to hijack legitimate client MCP sessions. The issue arises because the MCP SSE endpoint returns an instance pointer as the session ID, which lacks uniqueness and cryptographic security. This flaw enables attackers to guess future session IDs and intercept sessions, potentially leading to the execution of malicious responses from the oatpp-mcp server.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can take over a legitimate user's MCP session and manipulate the interaction with the oatpp-mcp server.

Added: Oct 20, 2025, 5:17 PM

Updated: Oct 20, 2025, 5:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

7.4

remediation

0.0

relevance

0.8

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

7.4

remediation

0.0

relevance

0.8

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

oatpp MCP Session Hijacking Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating