CVE-2025-6515
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-20

Last updated on: 2025-10-21

Assigner: JFrog

Description
The MCP SSE endpoint in oatpp-mcp returns an instance pointer as the session ID, which is not unique nor cryptographically secure. This allows network attackers with access to the oatpp-mcp server to guess future session IDs and hijack legitimate client MCP sessions, returning malicious responses from the oatpp-mcp server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-20
Last Modified
2025-10-21
Generated
2026-06-16
AI Q&A
2025-10-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-6515
EUVD
EUVD-2025-35077
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oatpp oatpp-mcp *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the oatpp-mcp component's MCP SSE endpoint, which returns an instance pointer as the session ID. Because this session ID is neither unique nor cryptographically secure, attackers with network access to the oatpp-mcp server can predict future session IDs. This allows them to hijack legitimate client MCP sessions and inject malicious responses from the server. [1]

Impact Analysis

An attacker who can predict session IDs can hijack legitimate client MCP sessions, potentially allowing them to inject malicious responses from the oatpp-mcp server. This can lead to unauthorized actions or data manipulation within the affected system. [1]

Mitigation Strategies

No proof of concept or mitigations have been provided for this vulnerability, so no specific immediate mitigation steps are available at this time. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-6515. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart