Hidden Dangers Lurk Within Ai: Malicious Docs Reveal Backdoors To Global Language Models
The rapid advancement of artificial intelligence (AI) has led to the development of sophisticated …
22. October 2025
Ai Threat Lurks In Shadows: Hijacked Prompts Put Business Integrity At Risk
The Growing Threat of MCP Prompt Hijacking in AI Systems
Developed by Anthropic to address the limitations of AI models, Model Context Protocol (MCP) enables AI systems to connect with the real world, allowing them to safely utilize local data and online services. This protocol is essential for enabling AI assistants like Claude to understand the context of code snippets and provide accurate recommendations.
However, researchers have discovered a flaw in the oatpp-mcp system that allows an attacker to exploit this protocol, leading to prompt hijacking. This vulnerability enables an attacker to intercept and manipulate requests between an AI model and its user, effectively taking control of the interaction.
Imagine a programmer requesting an AI assistant to recommend a standard Python tool for working with images. The AI should suggest Pillow, a popular and well-established library. But due to the MCP prompt hijacking weakness (CVE-2025-6515), an attacker could intercept this request, replace it with their own malicious suggestion, and convince the server to treat it as if it came from the real user.
The programmer would then receive a bad recommendation for “theBestImageProcessingPackage,” which is actually a malicious tool designed to steal data or execute unauthorized commands. This attack exploits the security of the AI system itself, rather than its inner workings, making it particularly insidious.
This attack takes advantage of the way the oatpp-mcp system handles connections using Server-Sent Events (SSE). When a legitimate user connects, the server assigns a unique session ID. However, due to the flaw in the system, the computer’s memory address is used as the session ID instead. This predictable identifier allows an attacker to quickly create and close many sessions, recording these memory addresses.
Later, when a real user reconnects, they might receive one of these recycled IDs that the attacker already has. The server, unaware of this manipulation, sends the malicious responses back to the legitimate user’s connection. Even if some programs only accept specific responses, attackers can often get around this by sending multiple messages with common event numbers until one is accepted.
The implications for businesses are severe. As they increasingly rely on AI systems to drive innovation and efficiency, they must now also prioritize security. The prompt hijacking attack highlights the need for robust session management, which involves using strong, random generators to create session IDs. Client programs should be designed to reject any event that doesn’t match expected IDs and types.
Furthermore, zero-trust principles must be applied to AI protocols, ensuring that all channels are thoroughly checked, from the basic model to middleware and data connections. This requires implementing strong session separation and expiration mechanisms.
To protect against prompt hijacking and similar attacks, leaders should follow these best practices:
- Secure Session Management: Ensure that servers create session IDs using strong, random generators.
- Strengthen Defenses on the User Side: Client programs should be designed to reject any event that doesn’t match expected IDs and types.
- Apply Zero-Trust Principles for AI Protocols: Check the entire AI setup, from the basic model to protocols and middleware, using strong session separation and expiration mechanisms.
The prompt hijacking attack highlights a critical security risk in AI systems, which can be exploited to steal data or execute unauthorized commands. By prioritizing robust session management and applying zero-trust principles, businesses can mitigate this threat and ensure the integrity of their AI systems.
As AI continues to play an increasingly important role in modern business operations, it is crucial for leaders to stay informed about emerging security threats and take proactive measures to protect their systems.