Skip to main content

Angular Service Worker CVE-2026-54264

| EUVDEUVD-2026-38274 HIGH
Information Exposure (CWE-200)
2026-06-15 https://github.com/angular/angular GHSA-qxh6-94w6-9r5p
8.3
CVSS 4.0 · Vendor: https://github.com/angular/angular
Share

Severity by source

Vendor (https://github.com/angular/angular) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network reach, no auth, but exploitation needs a cross-origin redirect on a credentialed asset URL (AC:H) and the victim loading the PWA (UI:R); scope changes to leak credentials to a third-party origin, confidentiality-only.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (https://github.com/angular/angular).

CVSS VectorVendor: https://github.com/angular/angular

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 22, 2026 - 16:58 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 22, 2026 - 16:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 22, 2026 - 16:52 vuln.today
cvss_changed
CVSS changed
Jun 22, 2026 - 16:52 NVD
8.3 (HIGH)
Source Code Evidence Fetched
Jun 15, 2026 - 17:54 vuln.today
Analysis Generated
Jun 15, 2026 - 17:54 vuln.today

DescriptionCVE.org

An information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm.

This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin.

Impact

If an application configured with the Angular Service Worker fetches assets with credential headers (such as Authorization header), and one of those requests is redirected to a different origin, the Service Worker will forward those headers to the new origin. This exposes critical credentials and session identifiers to unauthorized third-party servers.

Attack Preconditions

For this vulnerability to be exploitable:

  1. Vulnerable Configuration: The application must utilize the @angular/service-worker package to fetch assets.
  2. Credentialed Requests: The application must attach sensitive request headers (like Authorization, Proxy-Authorization, or rely on cookies) to asset-group requests.
  3. Redirect Flow: These requests must encounter a cross-origin redirect to an attacker-controlled or untrusted domain.

Patched Versions

  • 22.0.1
  • 21.2.17
  • 20.3.25

Credits

This vulnerability was discovered and reported by CodeMender from Google DeepMind.

AnalysisAI

Sensitive header leakage in @angular/service-worker allows remote attackers to capture Authorization tokens, Proxy-Authorization credentials, and session cookies when a credentialed asset fetch is redirected cross-origin, because the worker preserved request headers instead of stripping them per the Fetch redirect algorithm. Affected versions span Angular 20.x, 21.x, and 22.x prereleases (and all 19.x and earlier), and no public exploit identified at time of analysis. The flaw was discovered by Google DeepMind's CodeMender and patched in 22.0.1, 21.2.17, and 20.3.25.

Technical ContextAI

The vulnerability lives in the asset-fetch path of Angular's Progressive Web App Service Worker (@angular/service-worker), specifically in AssetGroup.newRequestWithMetadata within packages/service-worker/worker/src/assets.ts. When constructing a follow-up Request after a redirect, the worker copied the original RequestInit.headers verbatim, including Authorization, Proxy-Authorization, and Cookie, without checking whether the redirect crossed origins. The WHATWG Fetch redirect algorithm explicitly mandates stripping Authorization (and treating Cookie/Proxy-Authorization as forbidden request headers) on cross-origin redirects, so the worker's behavior diverged from the browser's native fetch contract. This is a classic CWE-200 information exposure: the patch (PR #69029, commit 47d68dcb) parses the redirect target URL, compares its origin against the adapter origin, and explicitly deletes Authorization, Proxy-Authorization, and Cookie headers when they differ.

RemediationAI

Vendor-released patch: upgrade @angular/service-worker to 22.0.1, 21.2.17, or 20.3.25 depending on your major version (npm install @angular/service-worker@22.0.1 or the equivalent for 21.x/20.x), as published in PR https://github.com/angular/angular/pull/69029 and commit https://github.com/angular/angular/commit/47d68dcb26266316647133ab6385e77fc3e5ae08. Users still on @angular/service-worker <=19.2.25 should migrate to a supported branch since no fix is published for 19.x. Until you can upgrade, the compensating controls are: stop attaching Authorization, Proxy-Authorization, or Cookie headers to requests whose URLs appear in any asset-group of ngsw-config.json (trade-off: any genuinely credentialed asset fetch must move outside the service worker's caching scope); ensure asset URLs resolve only to first-party origins you fully control and audit any server-side redirects on those endpoints to prevent cross-origin redirects (trade-off: blocks legitimate CDN failover redirects); and where feasible, restrict the Service Worker's scope so it does not intercept credentialed API or asset endpoints. Refer to the GHSA at https://github.com/angular/angular/security/advisories/GHSA-qxh6-94w6-9r5p for the canonical advisory.

Share

CVE-2026-54264 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy