“Because the session ID determines the place the server sends its responses, leaking it opens the door to abuse,” JFrog’s researchers warn. “An attacker that obtains a legitimate session ID can ship malicious requests to the MCP server. These requests are processed by the server as in the event that they got here from the professional shopper, and the responses are despatched again to the unique shopper session.”
For oatpp-mcp, the JFrog researchers demonstrated how attackers may open numerous connections to the MCP server to generate session IDs after which shut the connections so these session IDs may be freed and reassigned to professional purchasers. The attackers can then reuse these IDs to trick the server into producing malicious responses to these purchasers.
“MCP helps structured requests, together with prompts,” the researchers famous. “For instance, a shopper might request a immediate from the server — however throughout that point, an attacker can inject their very own malicious immediate. The shopper will then obtain and probably act on the attacker’s poisoned response as a substitute of its personal professional response.”
