Nitter Video Proxy URL Redirection and HMAC Key Exposure

Executive Summary

CVE-2026-56285 is a Server-Side Request Forgery (SSRF) vulnerability in the Nitter application's /video media proxy endpoint.

The vulnerability occurs because the /video endpoint does not validate that the target URL belongs to Twitter/X domains, unlike other endpoints that enforce such restrictions.

Additionally, the HMAC key used for authenticating requests is hardcoded as "secretkey", making it trivial for attackers to forge valid HMAC signatures.

An unauthenticated attacker can compute a valid HMAC for any arbitrary URL using this default key and send crafted requests to the /video endpoint.

This allows attackers to retrieve HTTP responses from any host accessible by the Nitter server, including internal network resources and cloud metadata services.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive internal resources.

Attackers can retrieve data from internal network services and cloud metadata services such as AWS IMDSv1, potentially exposing cloud instance credentials.

It also enables attackers to perform port scanning and gather information about internal services that are normally inaccessible.

Overall, it can lead to exposure of sensitive data and compromise of internal infrastructure security.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if the Nitter instance is using the vulnerable /video media proxy endpoint with the default or unchanged hardcoded HMAC key.

One approach is to test if the /video endpoint accepts arbitrary URLs with a valid HMAC computed using the default key "secretkey". If such requests succeed in retrieving HTTP responses from arbitrary hosts, the system is vulnerable.

Example commands to test this could include crafting a request to the /video endpoint with a forged HMAC and an arbitrary URL, for instance using curl and a script or tool to compute the HMAC with the default key.

• Use a script or tool to compute HMAC with key "secretkey" for a chosen URL.
• Send a request like: curl "https://<nitter-instance>/video/<computed-hmac>/<target-url>"
• Check if the response contains data from the target URL, such as internal metadata service endpoints or other internal resources.

Additionally, monitoring network traffic for unusual requests to the /video endpoint with arbitrary external or internal URLs can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating the Nitter application to a version that includes the patch from commit 44b2f09 or later, which fixes the SSRF vulnerability by validating target URLs and restricting them to Twitter/X domains.

If updating immediately is not possible, change the default hardcoded HMAC key "secretkey" to a unique, random value to prevent attackers from forging valid HMAC signatures.

Additionally, configure the media proxy to validate URLs properly and prevent redirects to non-allowed hosts.

• Apply the patch that validates the /video endpoint URLs using the isTwitterUrl() function.
• Set a unique random HMAC key in the configuration to replace the default "secretkey".
• Monitor logs and network traffic for suspicious requests to the /video endpoint.

Useful 0 Not Useful 0