Session Hijacking Vulnerability in Oatpp MCP Endpoint by Oatpp
CVE-2025-6515

6.8MEDIUM

Key Information:

Vendor: Oatpp
Status: Oatpp-mcp
Vendor: CVE Published:; 20 October 2025

What is CVE-2025-6515?

The Oatpp MCP endpoint is vulnerable due to its use of a non-unique and cryptographically insecure session ID. This flaw allows attackers with network access to predict and guess session IDs, enabling them to hijack active sessions of legitimate clients. By exploiting this vulnerability, attackers can send malicious responses from the Oatpp MCP server, leading to unauthorized access and potential data breaches. Organizations using Oatpp MCP should implement security measures to mitigate these risks.

Affected Version(s)

oatpp-mcp 0

References

https://research.jfrog.com/vulnerabilities/oatpp-mcp-prom...

third-party-advisory

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 20, 2025
Vulnerability Reserved
Jun 23, 2025

JSON