Skip to main content

Angular Service Worker EUVDEUVD-2026-38295

| CVE-2026-50169 MEDIUM
Information Exposure (CWE-200)
2026-06-15 https://github.com/angular/angular GHSA-gv2q-mqqv-365m
5.7
CVSS 4.0 · Vendor: https://github.com/angular/angular
Share

Severity by source

Vendor (https://github.com/angular/angular) PRIMARY
5.7 MEDIUM
CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network vector; high complexity from five simultaneous preconditions; no attacker privileges needed but user interaction (active session) is required; scope changed because SW crosses public-to-private trust boundary; high confidentiality loss, no integrity or availability impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/angular/angular).

CVSS VectorVendor: https://github.com/angular/angular

CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 22, 2026 - 18:23 NVD
5.7 (MEDIUM)
Source Code Evidence Fetched
Jun 15, 2026 - 17:18 vuln.today
Analysis Generated
Jun 15, 2026 - 17:18 vuln.today

DescriptionCVE.org

An issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function.

During this reconstruction process, the helper function strips the strict, client-defined request redirect policy configuration (such as redirect: 'error'), falling back to the browser's default 'follow' strategy.

If the target web application makes client-side requests with a strict policy (e.g., expecting a network error instead of automatically following redirects), the service worker will bypass this instruction and automatically follow HTTP 3xx redirects to other destinations. This acts as an unintended proxy/intermediary ("Confused Deputy") and can result in cookie/credential exposure or same-origin session-restricted data leakage if public dynamic routes redirect to sensitive routes.

Impact

Web applications registering the @angular/service-worker package are vulnerable to this redirect-policy bypass if they make safe client-side fetch calls (such as { redirect: 'error' }) to paths matched by a service worker asset group (such as lazy-loaded JavaScript bundles or dynamic public assets) that can return HTTP redirects to authenticated same-origin secure endpoints.

By stripping developer-defined safety boundaries, the service worker allows the browser to transparently query and return data from credentials-guarded resources that should have been blocked at the network barrier.

Attack Preconditions

To successfully exploit this vulnerability, all of the following application states and parameters must concurrently exist:

  1. Active Angular Service Worker: The target application uses @angular/service-worker and has an active registration of ngsw-worker.js inside the client's browser context.
  2. Asset Group Matching: An assetGroups pattern in ngsw-config.json encompasses the target dynamic routing endpoint.
  3. Same-Origin Dynamic Redirection: The server routes a public matched asset route to a service that returns an HTTP 3xx redirect pointing to a sensitive, session-restricted same-origin private route (e.g., /private/account-summary.json).
  4. Established User Session: The victim user currently has an active authentication state, such as valid same-origin session cookies or auth headers stored by the browser.
  5. Client-Side Safe Fetch Call: The application initiates an explicit fetch request to the route with safety parameters: { redirect: 'error' }.

Mitigations & Workarounds

If upgrading the @angular/service-worker package is not immediately feasible, developers should implement the following defensive measures:

  • Avoid Public-to-Private Dynamic Redirection: Refactor the server architecture so that public paths matched by service worker asset groups never issue HTTP 3xx redirects to authenticated same-origin secure endpoints.
  • Strict Cookie Configuration: Apply strict flags to session cookies (SameSite=Strict; Secure; HttpOnly) and consider explicit route isolations (such as subdomains) for credential-guarded private resources.
  • Exclude Secure Endpoints from SW Config: Verify your ngsw-config.json settings and ensure that patterns targeting dynamic, secure endpoints are explicitly excluded from automatic asset groups or caching scopes.

Patches

  • 22.0.0-rc.2
  • 21.2.15
  • 20.3.22
  • 19.2.23

AnalysisAI

Redirect-policy stripping in @angular/service-worker allows the Angular Service Worker to silently follow HTTP 3xx redirects that client code explicitly prohibited via redirect: 'error', turning the SW into an unintended Confused Deputy proxy. When a public asset route matched by an assetGroups pattern issues a same-origin redirect to a session-restricted private endpoint, the SW reconstructs the intercepted Request object without preserving the caller's redirect policy, causing the browser to transparently fetch and return credentialed private data that should have triggered a network error. No public exploit has been identified at time of analysis, but the vulnerability class (same-origin credential leakage via service-worker policy bypass) carries meaningful real-world risk for Angular SPAs with mixed public/private routing.

Technical ContextAI

The Angular Service Worker (pkg:npm/@angular/service-worker) intercepts fetch events within a browser ServiceWorkerGlobalScope and serves matched assets from its cache or network. When a cache miss or network fetch is required, an internal AssetGroup helper function in packages/service-worker/worker/src/assets.ts reconstructs a new Request object from the original request's URL and headers. Prior to the fix in PR #67494, this reconstruction called this.adapter.newRequest(url, {headers: options.headers}) - intentionally forwarding headers but silently discarding all other RequestInit properties, including the redirect field. The Fetch API's redirect option governs how the browser handles HTTP 3xx responses: 'follow' (browser default) transparently follows redirects, while 'error' causes the promise to reject. By dropping the caller's redirect: 'error' instruction, the SW caused every intercepted request to revert to 'follow', creating a Confused Deputy: the SW holds ambient same-origin credentials and fetch authority, but blindly executes redirects to scopes the original caller explicitly refused to enter. CWE-200 (Exposure of Sensitive Information) applies because the root cause is the SW returning data from a restricted resource the client never authorized it to access.

RemediationAI

Upgrade @angular/service-worker to the patched release for your Angular major version: 19.2.23, 20.3.22, 21.2.15, or 22.0.0-rc.2 as appropriate (see https://github.com/angular/angular/pull/67494 for the one-line fix). The patch preserves the redirect property when the SW reconstructs Request objects in AssetGroup, restoring developer-defined redirect policies. If upgrading is not immediately feasible, three targeted workarounds are available: (1) Refactor server routing so that no public path matched by an assetGroups pattern ever issues a 3xx redirect to a session-restricted same-origin endpoint - this eliminates the redirect chain the SW would follow, though it may require significant server-side routing changes; (2) Audit ngsw-config.json and explicitly exclude dynamic or API-adjacent path patterns from assetGroups scope so the SW does not intercept those requests at all - trade-off is that previously cached assets on those paths will no longer be served offline; (3) Apply SameSite=Strict; Secure; HttpOnly to all session cookies and consider serving private API endpoints from a subdomain to enforce browser same-site isolation, reducing the credential exposure window even if the redirect is followed. For Angular v18 users with no available patch, all three workarounds should be applied in combination. Advisory and patch reference: https://github.com/angular/angular/security/advisories/GHSA-gv2q-mqqv-365m and https://github.com/angular/angular/pull/67494.

Share

EUVD-2026-38295 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy