CVE-2025-6515

Name of the Vulnerable Software and Affected Versions oatpp-mcp (affected versions not specified)

Description The MCP SSE endpoint returns an instance pointer as the session ID, which is not unique or cryptographically secure. This allows network attackers with access to the oatpp-mcp server to guess future session IDs and hijack legitimate client MCP sessions, potentially resulting in malicious responses from the oatpp-mcp server. The vulnerable endpoint is /MCP SSE. The session ID is not sufficiently random, enabling session hijacking.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.