Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, including cloud metadata services and internal network resources.
Metrics
Affected Vendors & Products
References
History
Wed, 01 Jul 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Zedeus
Zedeus nitter |
|
| Vendors & Products |
Zedeus
Zedeus nitter |
Mon, 29 Jun 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 29 Jun 2026 18:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, including cloud metadata services and internal network resources. | |
| Title | Nitter - Server-Side Request Forgery in /video Media Proxy Endpoint | |
| Weaknesses | CWE-1188 CWE-918 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published: 2026-06-29T17:13:57.473Z
Updated: 2026-06-29T19:26:45.502Z
Reserved: 2026-06-20T01:51:24.919Z
Link: CVE-2026-56285
Updated: 2026-06-29T19:26:40.637Z
No data.
No data.