PT-2026-49580 · Npm · @Angular/Service-Worker
Published
2026-06-15
·
Updated
2026-06-15
·
CVE-2026-54264
CVSS v4.0
8.3
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N |
An information disclosure vulnerability exists in the
@angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm.This allows a remote attacker to obtain sensitive credentials (e.g.,
Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin.Impact
If an application configured with the Angular Service Worker fetches assets with credential headers (such as
Authorization header), and one of those requests is redirected to a different origin, the Service Worker will forward those headers to the new origin. This exposes critical credentials and session identifiers to unauthorized third-party servers.Attack Preconditions
For this vulnerability to be exploitable:
- Vulnerable Configuration: The application must utilize the
@angular/service-workerpackage to fetch assets. - Credentialed Requests: The application must attach sensitive request headers (like
Authorization,Proxy-Authorization, or rely on cookies) to asset-group requests. - Redirect Flow: These requests must encounter a cross-origin redirect to an attacker-controlled or untrusted domain.
Patched Versions
- 22.0.1
- 21.2.17
- 20.3.25
Credits
This vulnerability was discovered and reported by CodeMender from Google DeepMind.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Angular/Service-Worker