Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm. This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
Published: 2026-06-22
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An information disclosure vulnerability exists in the @angular/service-worker package of Angular. When the Service Worker fetches assets, it retains request headers, but when a request is redirected across origins it does not strip redirect algorithm. This flaw allows a remote attacker to obtain credentials such as Authorization tokens, Proxy-Authorization credentials, or session cookies by initiating a cross‑origin redirect to an untrusted external origin.

Affected Systems

The vulnerability applies to Angular @angular/service-worker releases prior to 22.0.1, 21.2.17 and 20.3.25. The affected vendor is Angular, and the versions listed are the only ones known to be vulnerable.

Risk and Exploitability

The CVSS score is 8.3, indicating a high severity. The EPSS score is 0.00226 (<1%), showing a very low probability that the vulnerability will be exploited in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote attacker triggering a cross‑origin redirect that the Service Worker does not sanitize; the attacker can then read the forwarded sensitive headers. No additional mitigation beyond upgrading is provided by the vendor.

Generated by OpenCVE AI on July 12, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @angular/service-worker to at least 22.0.1 (or 21.2.17 / 20.3.25 for those Angular releases) using npm update or by specifying the fixed version in your package.json.
  • Configure your application to only allow service‑worker fetches to trusted origins and enforce strict CORS policies to eliminate cross‑origin redirects that could leak headers.
  • Clear the service worker’s cache and purge any old cached data to ensure no legacy data remains exposed.

Generated by OpenCVE AI on July 12, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qxh6-94w6-9r5p @angular/service-worker: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker
History

Wed, 08 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-212
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate


Tue, 23 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Angular
Angular angular
Vendors & Products Angular
Angular angular

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm. This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
Title Angular: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker
Weaknesses CWE-200
CWE-359
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T13:46:25.169Z

Reserved: 2026-06-12T17:13:32.279Z

Link: CVE-2026-54264

cve-icon Vulnrichment

Updated: 2026-06-23T13:46:20.859Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T15:32:48Z

Links: CVE-2026-54264 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-12T21:30:16Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-212

    Improper Removal of Sensitive Information Before Storage or Transfer

  • CWE-359

    Exposure of Private Personal Information to an Unauthorized Actor