CVE-2025-6515
BaseFortify
Publication date: 2025-10-20
Last updated on: 2025-10-21
Assigner: JFrog
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oatpp | oatpp-mcp | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-330 | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the oatpp-mcp component's MCP SSE endpoint, which returns an instance pointer as the session ID. Because this session ID is neither unique nor cryptographically secure, attackers with network access to the oatpp-mcp server can predict future session IDs. This allows them to hijack legitimate client MCP sessions and inject malicious responses from the server. [1]
How can this vulnerability impact me? :
An attacker who can predict session IDs can hijack legitimate client MCP sessions, potentially allowing them to inject malicious responses from the oatpp-mcp server. This can lead to unauthorized actions or data manipulation within the affected system. [1]
What immediate steps should I take to mitigate this vulnerability?
No proof of concept or mitigations have been provided for this vulnerability, so no specific immediate mitigation steps are available at this time. [1]