प्लेटफ़ॉर्म
nodejs
घटक
elecv2p
में ठीक किया गया
3.8.1
3.8.2
3.8.3
3.8.4
A server-side request forgery (SSRF) vulnerability has been identified in elecV2P versions 3.8.0 through 3.8.3. This flaw resides within the eAxios function of the /mock component, allowing attackers to manipulate requests and potentially access internal resources. The vulnerability is remotely exploitable and a public proof-of-concept is available, highlighting the potential for immediate exploitation. The project maintainers have not yet responded to the reported issue.
The SSRF vulnerability in elecV2P allows an attacker to craft malicious requests that appear to originate from the server itself. This can lead to several severe consequences. An attacker could potentially access internal services and resources that are not directly exposed to the internet, such as databases, internal APIs, or administrative interfaces. They might be able to read sensitive data, modify configurations, or even execute arbitrary code on the server, depending on the permissions of the affected services. The availability of a public exploit significantly increases the risk of exploitation, as it lowers the barrier to entry for attackers.
This vulnerability is publicly known with a proof-of-concept available, indicating a higher probability of exploitation. It was disclosed on 2026-03-28. The vulnerability's severity is rated HIGH (CVSS 7.3). The lack of response from the project increases the risk. No KEV listing is currently available.
Organizations deploying elecV2P versions 3.8.0 through 3.8.3 are at risk, particularly those with internal services accessible from the internet or those using elecV2P in environments with limited network segmentation. Shared hosting environments utilizing this component are also at increased risk due to the potential for cross-tenant exploitation.
• nodejs / server:
ps aux | grep elecV2P
netstat -tulnp | grep elecV2P• generic web:
curl -I <elecV2P_URL>/mock?req=<internal_ip>
# Check for response headers indicating internal resource accessdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.05% (17% शतमक)
CISA SSVC
CVSS वेक्टर
Due to the lack of a response from the project maintainers, immediate mitigation is crucial. The primary recommendation is to upgrade to a patched version of elecV2P as soon as one becomes available. Until then, consider implementing a Web Application Firewall (WAF) with rules to block suspicious outbound requests, particularly those targeting internal IP addresses or sensitive endpoints. Restrict network access to the elecV2P component to only necessary services. Carefully review and validate all user-supplied input to prevent malicious URL manipulation. After applying any mitigation steps, verify the effectiveness by attempting to trigger the SSRF vulnerability with a controlled request and confirming that it is blocked.
elecV2P को 3.8.3 के बाद के संस्करण में अपडेट करें। समस्या को ठीक करने वाला कोई विशिष्ट संस्करण नहीं है, इसलिए नवीनतम उपलब्ध संस्करण में अपडेट करने की अनुशंसा की जाती है। यदि अपडेट करना संभव नहीं है, तो अवांछित अनुरोधों से बचने के लिए /mock फ़ाइल में eAxios फ़ंक्शन में उपयोगकर्ता इनपुट की समीक्षा और सत्यापन करें।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-5016 is a server-side request forgery vulnerability affecting elecV2P versions 3.8.0–3.8.3, allowing attackers to forge requests and potentially access internal resources.
You are affected if you are using elecV2P versions 3.8.0 through 3.8.3. Upgrade as soon as a patch is available.
Upgrade to a patched version of elecV2P. Until then, implement WAF rules and restrict network access to the component.
A public proof-of-concept exists, indicating a high probability of active exploitation.
As of the current disclosure date, no official advisory has been published by the elecV2P project.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।