Model Context Protocol Ruby SDK Session Hijacking Vulnerability in Streamable HTTP Transport

A session hijacking vulnerability has been identified in the Model Context Protocol (MCP) Ruby SDK, specifically in versions prior to 0.9.2. The issue resides in the streamable_http_transport.rb implementation, where an attacker with a valid session ID can hijack the victim's Server-Sent Events (SSE) stream, intercepting all real-time data. This vulnerability arises because the SDK does not bind session IDs to user identities, allowing unauthorized users to take over active streams.

Impact

Exploitation of this vulnerability allows an attacker to intercept and replace the victim's SSE stream, causing all real-time data, including potentially sensitive tool responses, to be redirected to the attacker.

Reproduction

The vulnerability can be reproduced by first establishing a legitimate SSE connection using a valid session ID. Once the stream is active, an attacker can use the same session ID to initiate a new SSE connection, which will replace the original stream. This can be done using a simple Python script that connects to the Ruby server and takes over the stream.

Remediation

Users of the MCP Ruby SDK should update to version 0.9.2, which includes a patch for this vulnerability by rejecting duplicate SSE connections and implementing session-to-user identity binding.