Examining Major AI Security Threats

A novel cybersecurity threat dubbed ‘prompt hijacking’ has been identified by security researchers, exploiting vulnerabilities in the way AI systems communicate via the Model Context Protocol (MCP). This poses a significant risk to organizations increasingly integrating AI into their core operations.

As businesses strive to leverage AI for enhanced efficiency and decision-making, particularly through direct access to proprietary data and internal tools, a new attack surface emerges. The concern isn’t necessarily within the AI models themselves, but rather in the protocols and infrastructure facilitating data exchange and communication with these models. This necessitates a paradigm shift for Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) to prioritize the security of data streams feeding AI, mirroring the robust security measures already in place for the AI systems themselves.

Why AI Attacks Targeting Protocols are So Dangerous

At the heart of the issue is a fundamental limitation of AI models, regardless of their deployment environment – be it cloud-based platforms like Google or Amazon, or running locally on edge devices. These models operate based on the datasets they were trained on, lacking real-time awareness of the current context. They are oblivious to the code a programmer is actively developing or the content of a specific file on a computer.

Protocols like MCP, initially developed to bridge this gap, aim to provide AI with secure access to real-world data and services. For instance, MCP enables an AI assistant to understand the context of a programming task when a developer references a specific code snippet. However, JFrog’s findings reveal that certain implementations of MCP are susceptible to prompt hijacking, potentially transforming a valuable AI tool into a significant security liability.

Consider a scenario where a programmer requests an AI assistant to suggest a Python library for image processing. The AI should ideally recommend Pillow, a well-established and widely used package. However, due to a flaw (CVE-2025-6515) discovered in the oatpp-mcp implementation, an attacker could inject a malicious command into the user’s session. The compromised server would then treat the attacker’s request as legitimate, originating from the authenticated user.

Consequently, the programmer might receive a recommendation from the AI for a fictitious tool called theBestImageProcessingPackage. This represents a serious threat to the software supply chain. Utilizing prompt hijacking, an attacker could inject malicious code, exfiltrate sensitive data, or execute arbitrary commands, all disguised as part of the programmer’s standard workflow. The subtle nature of this attack vector makes it particularly insidious and difficult to detect.

How This MCP Prompt Hijacking Attack Works

This prompt hijacking attack exploits vulnerabilities in the communication mechanisms facilitated by MCP, rather than targeting the AI model’s inherent security. The specific flaw was uncovered in the oatpp C++ framework’s MCP implementation, which is used to interface applications with the MCP standard.

The vulnerability lies in the handling of connections using Server-Sent Events (SSE). Upon a legitimate user establishing a connection, the server assigns a session ID. However, the flawed implementation uses the computer’s memory address of the session as the session ID. This contravenes the fundamental principle of the protocol, which mandates that session IDs should be unique and cryptographically secure.

This design flaw introduces predictability, as memory addresses are often reused by operating systems to optimize resource allocation. An attacker can exploit this by rapidly creating and terminating numerous sessions to observe and record these predictable session IDs. Subsequently, when a genuine user connects, they might be assigned a recycled ID already known to the attacker.

Armed with a valid session ID, the attacker can then inject their own requests into the server. The server, unable to distinguish between the attacker and the legitimate user, transmits the malicious responses back to the user’s connection.

Even if specific applications implement input validation by only accepting certain types of responses, attackers can often circumvent these restrictions through a technique known as “spraying.” This involves sending a high volume of messages with common event numbers until one is accepted. This allows the attacker to manipulate the model’s behavior without directly compromising the AI itself. Any organization using oatpp-mcp with HTTP SSE enabled on a network accessible to potential attackers is exposed to this risk.

What Should AI Security Leaders Do?

The identification of this MCP prompt hijacking attack serves as a critical wake-up call for all technology leaders, particularly CISOs and CTOs, involved in the development and deployment of AI assistants. As AI becomes increasingly integrated into workflows through protocols like MCP, the attack surface expands. Securing the ecosystem surrounding AI must now be a top-tier priority.

While this specific CVE affects one particular implementation, the broader concept of prompt hijacking represents a generalized threat. To mitigate this and similar attacks, organizations must establish robust security policies and best practices for their AI systems.

First, organizations must ensure that all AI services enforce secure session management. Development teams must mandate the use of strong, cryptographically secure random generators for creating session IDs. This should be a mandatory element of any security checklist for AI applications. The use of predictable identifiers, such as memory addresses, is unacceptable.

Second, strengthen client-side defenses. Client applications should be designed to reject any event that does not match the expected IDs and types. Simple, incrementing event IDs are vulnerable to spraying attacks and should be replaced with unpredictable identifiers that avoid collisions.

Finally, implement zero-trust principles for AI protocols. Security teams must conduct a thorough assessment of the entire AI ecosystem, from the core model to the protocols and middleware that connect it to data sources. These communication channels must enforce strong session separation and expiration mechanisms, mirroring the session management techniques employed in web applications. This includes mutual TLS (mTLS) authentication and robust access control policies.

This MCP prompt hijacking attack vividly illustrates how a well-known web application vulnerability – session hijacking – is manifesting in a new and potentially more damaging context within the realm of AI. Securing these emerging AI tools requires applying established security fundamentals to prevent attacks at the protocol level. This proactive approach is crucial to ensuring the safe and responsible adoption of AI technologies across the enterprise.