Nitter - Server-Side Request Forgery in /video Media Proxy Endpoint | Advisories

Advisories

Nitter - Server-Side Request Forgery in /video Media Proxy Endpoint

severity: high
date: 6/29/2026
Affecting: Nitter < commit 44b2f09
CVE: CVE-2026-56285
CWE: CWE-918 Server-Side Request Forgery (SSRF)
CWE-1188 Initialization of a Resource with an Insecure Default
CVSS: 7.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N
References: Researcher Disclosure
Patch Commmit
Credit: George Chen
Description: Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, including cloud metadata services and internal network resources.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo