MCP Prompt Hijacking: Understanding the Major AI Security Threat
Researchers at JFrog discovered a significant vulnerability known as «prompt hijacking,» which exploits weaknesses in the Model Context Protocol (MCP) used for inter-AI communication.
Why AI Attacks Targeting MCP Are Dangerous
AI models lack awareness of current contexts beyond their training data. Anthropic’s MCP enables AI to interact with live environments and utilize local data and services. However, flaws in MCP implementations, such as CVE-2025-6515 in oatpp-mcp, allow attackers to impersonate users and manipulate AI recommendations.
How MCP Prompt Hijacking Works
Attackers exploit vulnerabilities in the handling of Server-Sent Events (SSE) within the Oat++ framework. Instead of generating secure session IDs, the system uses memory addresses, making IDs predictable and susceptible to recycling. By rapidly opening and closing sessions, attackers can obtain valid session IDs and send malicious requests.
Mitigating MCP Prompt Hijacking Risks
To prevent such attacks:
- Implement robust session management with cryptographic session ID generation.
- Strengthen client-side validation to reject unexpected or invalid events.
- Apply zero-trust principles across AI systems, ensuring strict session isolation and expiration policies.
These measures help safeguard AI ecosystems from emerging threats by leveraging established security practices.
