Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network reach, no auth, but exploitation needs a cross-origin redirect on a credentialed asset URL (AC:H) and the victim loading the PWA (UI:R); scope changes to leak credentials to a third-party origin, confidentiality-only.
Primary rating from Vendor (https://github.com/angular/angular).
CVSS VectorVendor: https://github.com/angular/angular
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
An information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm.
This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin.
Impact
If an application configured with the Angular Service Worker fetches assets with credential headers (such as Authorization header), and one of those requests is redirected to a different origin, the Service Worker will forward those headers to the new origin. This exposes critical credentials and session identifiers to unauthorized third-party servers.
Attack Preconditions
For this vulnerability to be exploitable:
- Vulnerable Configuration: The application must utilize the
@angular/service-workerpackage to fetch assets. - Credentialed Requests: The application must attach sensitive request headers (like
Authorization,Proxy-Authorization, or rely on cookies) to asset-group requests. - Redirect Flow: These requests must encounter a cross-origin redirect to an attacker-controlled or untrusted domain.
Patched Versions
- 22.0.1
- 21.2.17
- 20.3.25
Credits
This vulnerability was discovered and reported by CodeMender from Google DeepMind.
AnalysisAI
Sensitive header leakage in @angular/service-worker allows remote attackers to capture Authorization tokens, Proxy-Authorization credentials, and session cookies when a credentialed asset fetch is redirected cross-origin, because the worker preserved request headers instead of stripping them per the Fetch redirect algorithm. Affected versions span Angular 20.x, 21.x, and 22.x prereleases (and all 19.x and earlier), and no public exploit identified at time of analysis. The flaw was discovered by Google DeepMind's CodeMender and patched in 22.0.1, 21.2.17, and 20.3.25.
Technical ContextAI
The vulnerability lives in the asset-fetch path of Angular's Progressive Web App Service Worker (@angular/service-worker), specifically in AssetGroup.newRequestWithMetadata within packages/service-worker/worker/src/assets.ts. When constructing a follow-up Request after a redirect, the worker copied the original RequestInit.headers verbatim, including Authorization, Proxy-Authorization, and Cookie, without checking whether the redirect crossed origins. The WHATWG Fetch redirect algorithm explicitly mandates stripping Authorization (and treating Cookie/Proxy-Authorization as forbidden request headers) on cross-origin redirects, so the worker's behavior diverged from the browser's native fetch contract. This is a classic CWE-200 information exposure: the patch (PR #69029, commit 47d68dcb) parses the redirect target URL, compares its origin against the adapter origin, and explicitly deletes Authorization, Proxy-Authorization, and Cookie headers when they differ.
RemediationAI
Vendor-released patch: upgrade @angular/service-worker to 22.0.1, 21.2.17, or 20.3.25 depending on your major version (npm install @angular/service-worker@22.0.1 or the equivalent for 21.x/20.x), as published in PR https://github.com/angular/angular/pull/69029 and commit https://github.com/angular/angular/commit/47d68dcb26266316647133ab6385e77fc3e5ae08. Users still on @angular/service-worker <=19.2.25 should migrate to a supported branch since no fix is published for 19.x. Until you can upgrade, the compensating controls are: stop attaching Authorization, Proxy-Authorization, or Cookie headers to requests whose URLs appear in any asset-group of ngsw-config.json (trade-off: any genuinely credentialed asset fetch must move outside the service worker's caching scope); ensure asset URLs resolve only to first-party origins you fully control and audit any server-side redirects on those endpoints to prevent cross-origin redirects (trade-off: blocks legitimate CDN failover redirects); and where feasible, restrict the Service Worker's scope so it does not intercept credentialed API or asset endpoints. Refer to the GHSA at https://github.com/angular/angular/security/advisories/GHSA-qxh6-94w6-9r5p for the canonical advisory.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38274
GHSA-qxh6-94w6-9r5p