“Since the session ID determines where the server sends its responses, leaking it opens the door to abuse,” JFrog’s researchers warn. “An attacker that obtains a valid session ID can send malicious requests to the MCP server. These requests are processed by the server as if they came from the legitimate client, and the responses are sent back to the original client session.”
For oatpp-mcp, the JFrog researchers demonstrated how attackers could open a large number of connections to the MCP server to generate session IDs and then close the connections so those session IDs can be freed and reassigned to legitimate clients. The attackers can then reuse those IDs to trick the server into generating malicious responses to those clients.
“MCP supports structured requests, including prompts,” the researchers noted. “For example, a client may request a prompt from the server — but during that time, an attacker can inject their own malicious prompt. The client will then receive and potentially act on the attacker’s poisoned response instead of its own legitimate response.”
