Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network SSRF against default config (PR:N/AC:L); scope changes (S:C) as the server reads other systems, and metadata/internal data exposure makes C:H with no integrity or availability impact.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, including cloud metadata services and internal network resources.
AnalysisAI
Server-side request forgery in Nitter's /video media proxy endpoint lets unauthenticated remote attackers coerce the server into fetching arbitrary URLs and returning their HTTP responses, including AWS/GCP cloud metadata endpoints and internal-only network resources. The flaw stems from two compounding errors: the proxy never validates that target URLs belong to Twitter/X domains, and it ships with a hardcoded default HMAC signing key, so an attacker can locally compute the valid HMAC signature required for any URL of their choosing. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the Nitter instance run with the default (hardcoded) HMAC signing key - the documented prerequisite that lets an attacker forge a valid signature for the /video proxy; operators who set a custom strong HMAC key are not exploitable via this path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, score 7.7) models this accurately: network-reachable, low complexity, no privileges and no user interaction, with the impact expressed as subsequent-system confidentiality high (SC:H) - i.e. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who knows or extracts the hardcoded default HMAC key computes a valid signature for http://169.254.169.254/latest/meta-data/iam/security-credentials/, then sends an unauthenticated request to a public Nitter instance's /video endpoint with that signed URL. The server fetches the cloud metadata service from its own trusted network position and returns the IAM role credentials in the HTTP response, which the attacker then uses to access the victim's cloud account. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the change in commit 44b2f096f67da2cc257a0e262a94a7ae79e95d47 (https://github.com/zedeus/nitter/commit/44b2f096f67da2cc257a0e262a94a7ae79e95d47) by rebuilding/redeploying from a Nitter build that includes it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running Nitter, document the media proxy's usage scope, and assess credential access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40154
GHSA-4m2j-2x3w-gg93