Description
Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, including cloud metadata services and internal network resources.
Published: 2026-06-29
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nitter's /video media proxy endpoint lacks validation of target URLs and uses a hard‑coded default HMAC key. This flaw lets an unauthenticated user compute a valid signature for any URL and retrieve HTTP responses from any host the server can reach, including internal network resources and cloud metadata services.

Affected Systems

The affected product is Nitter, a self‑hosted X/Twitter front‑end maintained by zedeus. No specific affected versions are documented in the advisory; the issue applies to any unpatched installation that still uses the vulnerable /video endpoint.

Risk and Exploitability

With a CVSS base score of 7.7, the vulnerability is considered high severity. The lack of authentication and the ability to forge HMACs make exploitation trivial for an attacker who can craft a request to the /video endpoint. Although the EPSS score is not available, the direct attack path and potential exposure of internal services indicate a significant risk. The vulnerability is not listed in CISA KEV, but its impact on internal infrastructure warrants immediate attention.

Generated by OpenCVE AI on June 29, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest official release of Nitter that contains the SSRF fix.
  • Limit access to the /video endpoint with firewall or reverse‑proxy rules so that only trusted IPs can invoke it.
  • Disable outgoing network traffic from the Nitter host to internal services or isolate it from internal networks to mitigate SSRF exposure.
  • Monitor access logs for unexpected /video requests and investigate anomalous outbound traffic.

Generated by OpenCVE AI on June 29, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, including cloud metadata services and internal network resources.
Title Nitter - Server-Side Request Forgery in /video Media Proxy Endpoint
Weaknesses CWE-1188
CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T19:26:45.502Z

Reserved: 2026-06-20T01:51:24.919Z

Link: CVE-2026-56285

cve-icon Vulnrichment

Updated: 2026-06-29T19:26:40.637Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T19:30:02Z

Weaknesses
  • CWE-1188

    Initialization of a Resource with an Insecure Default

  • CWE-918

    Server-Side Request Forgery (SSRF)