CVE Catalog

CVE-2026-56285

HighCVSS 8.6
Published: Updated: Translated: NVD NIST

Summary

A vulnerability in Nitter allows unauthenticated attackers to exploit the /video media proxy endpoint to send HTTP requests to any host reachable by the server, including cloud metadata services and internal network resources. The issue stems from missing validation of target URLs against Twitter/X domains and the use of a hardcoded default HMAC key.

Risk Assessment

An attacker can access sensitive data from cloud metadata services (e.g., cloud access keys) and other internal network resources, potentially leading to privilege escalation and infrastructure confidentiality breaches.

Recommendation

Immediately update Nitter to a version that includes a fix validating target URLs against allowed domains and using a secure, random HMAC key. If an update is not possible, restrict access to the /video endpoint via firewall or reverse proxy.

Original NVD description (English source)

Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, including cloud metadata services and internal network resources.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS