Executive Summary
A server-side request forgery (SSRF) vulnerability has been identified in elecV2P, a popular JavaScript automation tool used for running rules, fetching remote resources, and managing web automation tasks. The flaw, tracked as CVE-2026-5016, is present in all versions up to and including 3.8.3 and carries a CVSS score of 7.3 (High).
The vulnerability exists in the eAxios function within the /mock component's URL Handler. By manipulating the req argument, an unauthenticated remote attacker can trigger the server to initiate arbitrary HTTP requests to internal or external resources — a classic SSRF pattern. A public exploit is already available, raising the exploitation risk for unpatched deployments.
CVSS Score: 7.3 (High)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-5016 |
| CVSS Score | 7.3 (High) |
| Type | CWE-918: Server-Side Request Forgery (SSRF) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Component | /mock endpoint — URL Handler (eAxios function) |
| Exploit | Publicly available |
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| elecV2P elecV2P | <= 3.8.3 | Not confirmed at time of disclosure |
What Is elecV2P?
elecV2P is a JavaScript-based automation platform commonly used for:
- Running rewrite rules (similar to Surge/Quantumult X)
- Fetching and caching remote JavaScript tasks
- Proxying HTTP/HTTPS requests for script execution
- Web automation workflows triggered via HTTP endpoints
The tool's /mock endpoint is used to simulate or proxy HTTP requests, making it a natural attack surface for SSRF exploitation.
Technical Analysis
Root Cause
The eAxios function in elecV2P's URL Handler accepts user-supplied input via the req argument without adequate validation or allowlisting. When a request is sent to the /mock endpoint with a crafted req value, the server initiates an HTTP request to the attacker-specified destination.
Attack path:
Attacker → HTTP request to /mock endpoint
→ Manipulates `req` argument with target URL
→ elecV2P server calls eAxios(req) with attacker URL
→ Server makes outbound HTTP request to attacker-controlled or internal URL
→ Response returned to attacker (data exfiltration)
SSRF Impact Scenarios
| Scenario | Description |
|---|---|
| Internal network scanning | Probe internal services (169.254.x.x, 10.x.x.x, 172.16.x.x) |
| Cloud metadata exfiltration | Access AWS/GCP/Azure IMDS at 169.254.169.254 to steal credentials |
| Internal API abuse | Access unexposed admin APIs and management interfaces |
| Port scanning | Enumerate open ports on internal hosts via response timing |
| Credential harvesting | Read internal secrets from unauthenticated services |
| Bypass IP allowlists | Use the server as a proxy to bypass network-level access controls |
Example Attack Vector
An attacker targeting a cloud-hosted elecV2P instance could exploit the SSRF to access the cloud provider's instance metadata service:
POST /mock
Content-Type: application/json
{
"req": {
"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/",
"method": "GET"
}
}
If successful, the server returns IAM credential data including temporary access tokens, enabling full AWS API access with the instance's assigned role.
Attack Surface
elecV2P is often deployed in environments where it has access to internal network resources, making SSRF particularly impactful:
- Self-hosted automation environments — may have network access to databases, message queues, or admin panels
- Container deployments — internal Docker networks expose services on private RFC1918 space
- Cloud VMs — IMDS endpoint accessible from the instance
- Development environments — often less hardened than production, exposing dev-only services
Immediate Remediation
1. Update elecV2P
Update to the latest version of elecV2P once a patched release is available. Monitor the official repository at GitHub for release announcements.
2. Restrict Network Egress (Immediate Mitigation)
Until a patch is applied, restrict outbound connections from the elecV2P host:
# Example: Block access to cloud metadata and RFC1918 via iptables
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP3. Authentication and Access Control
If the /mock endpoint does not require authentication, restrict access to trusted IP addresses only:
# Nginx: Restrict /mock to internal IPs only
location /mock {
allow 10.0.0.0/8;
allow 127.0.0.1;
deny all;
}4. Deploy a Web Application Firewall
Use a WAF or reverse proxy to inspect and block requests containing private IP ranges or metadata endpoints in the req parameter.
Detection
Monitor for exploitation attempts targeting the /mock endpoint:
# Suspicious patterns in access logs
POST /mock # With body containing:
- 169.254.169.254 (IMDS)
- 127.0.0.1 / localhost
- RFC1918 ranges: 10.x, 172.16.x, 192.168.x
- file:// URIs (local file read attempts)
- dict:// or gopher:// URIs (advanced SSRF)
Unexpected outbound connections from the elecV2P process to internal or metadata endpoints are strong indicators of active exploitation.
Key Takeaways
- CVE-2026-5016 is a network-exploitable SSRF in elecV2P up to version 3.8.3 requiring no authentication
- A public exploit exists — exposure window is narrow; patch or mitigate immediately
- Cloud-hosted deployments are at highest risk due to accessible IMDS endpoints
- Restrict egress and access to the
/mockendpoint as an interim mitigation - Monitor for unusual outbound HTTP requests from your elecV2P host