Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips the strict, client-defined request redirect policy configuration (such as redirect: 'error'), falling back to the browser's default 'follow' strategy. If the target web application makes client-side requests with a strict policy (e.g., expecting a network error instead of automatically following redirects), the service worker will bypass this instruction and automatically follow HTTP 3xx redirects to other destinations. This acts as an unintended proxy/intermediary ("Confused Deputy") and can result in cookie/credential exposure or same-origin session-restricted data leakage if public dynamic routes redirect to sensitive routes. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Published: 2026-06-22
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Angular's @angular/service-worker was vulnerable to a request-policy bypass that caused the service worker to strip client‑supplied redirect strategies such as redirect: 'error' from reconstructed Request objects. As a result, the worker would automatically follow HTTP 3xx redirects, enabling it to act as a confused deputy that could expose user credentials or same‑origin session data when public routes redirect to sensitive endpoints. This flaw represented a confidentiality or integrity breach as defined by CWE‑200, CWE‑441 and CWE‑524.

Affected Systems

Any Angular application using the @angular/service-worker package prior to the following releases is affected: Angular 22.0.0‑rc.2, 21.2.15, 20.3.22 and 19.2.23. Users running older versions of these packages are potentially vulnerable until the updates are applied.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog. The most likely attack vector is an active web site using a service worker that enforces a strict redirect policy; an attacker can manipulate redirects to leak credentials or sensitive data. Given the lack of exploitation statistics, the risk appears moderate but should be mitigated by applying the vendor’s fix as soon as possible.

Generated by OpenCVE AI on June 22, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Angular release (22.0.0‑rc.2 or the corresponding 21.2.15, 20.3.22, or 19.2.23 update) to ensure the service‑worker redirect policy bug is fixed.
  • Configure the Angular service‑worker to use a strict redirect strategy only after upgrading, verifying that the request-policy enforcement remains intact.
  • If an upgrade cannot be performed immediately, temporarily disable the service worker for routes that handle sensitive data or ensure that no strict redirect policy is in use until the patch is applied.

Generated by OpenCVE AI on June 22, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gv2q-mqqv-365m Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities
History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips the strict, client-defined request redirect policy configuration (such as redirect: 'error'), falling back to the browser's default 'follow' strategy. If the target web application makes client-side requests with a strict policy (e.g., expecting a network error instead of automatically following redirects), the service worker will bypass this instruction and automatically follow HTTP 3xx redirects to other destinations. This acts as an unintended proxy/intermediary ("Confused Deputy") and can result in cookie/credential exposure or same-origin session-restricted data leakage if public dynamic routes redirect to sensitive routes. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Title Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities
Weaknesses CWE-200
CWE-441
CWE-524
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T17:32:36.408Z

Reserved: 2026-06-03T20:54:20.433Z

Link: CVE-2026-50169

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T18:30:15Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-441

    Unintended Proxy or Intermediary ('Confused Deputy')

  • CWE-524

    Use of Cache Containing Sensitive Information