Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54264

CVE-2026-54264: Angular Service Worker Info Disclosure

CVE-2026-54264 is an information disclosure vulnerability in Angular's @angular/service-worker package that leaks sensitive headers on cross-origin redirects. This article covers technical details, affected versions, and patches.

Published:

CVE-2026-54264 Overview

CVE-2026-54264 is an information disclosure vulnerability in the @angular/service-worker package of the Angular framework. The Service Worker preserves request metadata, including headers, when fetching assets. On cross-origin redirects, it fails to strip sensitive headers, violating the Fetch redirect algorithm. A remote attacker can trigger a cross-origin redirect to an untrusted external origin and capture credentials such as Authorization tokens, Proxy-Authorization values, or session cookies. The flaw is classified under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor). Affected versions are Angular releases prior to 22.0.1, 21.2.17, and 20.3.25.

Critical Impact

Remote attackers can harvest authentication tokens and session cookies from Angular applications by redirecting Service Worker fetches to attacker-controlled origins.

Affected Products

  • Angular @angular/service-worker versions prior to 20.3.25
  • Angular @angular/service-worker versions prior to 21.2.17
  • Angular @angular/service-worker versions prior to 22.0.1

Discovery Timeline

  • 2026-06-22 - CVE CVE-2026-54264 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2026-54264

Vulnerability Analysis

The Angular Service Worker acts as a network proxy for client-side HTTP requests, caching assets and replaying them across navigations. When the worker issues a fetch() and the response is a cross-origin redirect, it reuses the original request metadata to follow the redirect. That metadata includes credential-bearing headers attached for the original same-origin destination.

The Fetch specification requires user agents to strip headers such as Authorization, Proxy-Authorization, Cookie, and Cookie2 when a redirect crosses origins. The Angular Service Worker bypassed this safeguard by constructing a new Request that copied the prior headers verbatim. Any redirect chain ending at an attacker-controlled host therefore delivered the victim's credentials to that host.

Root Cause

The defect lives in the asset fetching logic of packages/service-worker/worker/src/assets.ts. The worker rebuilt outgoing requests using a newHeaders wrapper that mirrored the inbound header set without applying same-origin filtering on redirects. Because the Service Worker operates outside the browser's normal navigation request pipeline, the browser's built-in redirect sanitization did not compensate for this behavior.

Attack Vector

Exploitation requires user interaction with an Angular application that registers a vulnerable Service Worker. An attacker who controls or compromises any URL fetched by the worker, including an asset URL that issues an HTTP 3xx response, can redirect that fetch to an external origin under their control. The redirect target receives the original request headers, including bearer tokens or cookies bound to the application origin.

typescript
// Patch excerpt: packages/service-worker/worker/src/adapter.ts
/**
 * Wrapper around the `Headers` constructor.
 */
-  newHeaders(headers: {[name: string]: string}): Headers {
+  newHeaders(headers: HeadersInit): Headers {
     return new Headers(headers);
   }
typescript
// Patch excerpt: packages/service-worker/worker/src/assets.ts
 *    metadata that are known to be safe.
 *
 *    Currently, headers, redirect policy, an explicit `credentials: 'omit'`, and the HTTP cache
- *   mode are preserved.
+ *   mode are preserved. On cross-origin redirects, sensitive headers are removed. This includes
+ *   `Authorization`, as required by the Fetch redirect algorithm, and forbidden request headers
+ *   that could contain credentials.

Source: Angular security patch commit 47d68dcb

Detection Methods for CVE-2026-54264

Indicators of Compromise

  • Outbound HTTPS requests from browsers to unexpected third-party domains containing Authorization or Cookie headers that match application session tokens.
  • HTTP 301, 302, 307, or 308 responses originating from Angular asset endpoints that point to non-application hosts.
  • Service Worker registrations in production traffic running @angular/service-worker versions below 20.3.25, 21.2.17, or 22.0.1.

Detection Strategies

  • Inventory deployed front-end bundles and parse ngsw.json or package-lock.json to enumerate @angular/service-worker versions in scope.
  • Inspect Content Security Policy reports and web proxy logs for redirect chains that egress to domains not on the application allowlist.
  • Replay cached fetches in a staging environment with a redirect to a controlled domain to confirm whether sensitive headers leak.

Monitoring Recommendations

  • Forward CDN and web application firewall logs to a centralized analytics platform and alert on cross-origin 3xx responses from API or asset paths.
  • Track authentication token replay from IP ranges that do not match the issuing user's session geography.
  • Monitor browser telemetry, including Network Error Logging (NEL) reports, for redirect anomalies tied to Service Worker traffic.

How to Mitigate CVE-2026-54264

Immediate Actions Required

  • Upgrade @angular/service-worker to 22.0.1, 21.2.17, or 20.3.25 depending on the active major version.
  • Rotate any Authorization tokens, session cookies, and proxy credentials that may have been exposed by vulnerable clients.
  • Audit redirect endpoints reachable by Service Worker fetches and constrain them to same-origin destinations.

Patch Information

Angular fixed the issue in commit 47d68dcb26266316647133ab6385e77fc3e5ae08 and released versions 22.0.1, 21.2.17, and 20.3.25. The fix strips sensitive headers, including Authorization and forbidden request headers, before following cross-origin redirects. Details are documented in the GitHub Security Advisory GHSA-qxh6-94w6-9r5p and the associated pull request #69029.

Workarounds

  • Disable the Angular Service Worker by removing the ServiceWorkerModule registration until the patched version is deployed.
  • Restrict outbound asset and API requests to same-origin destinations using a strict Content-Security-Policy with connect-src 'self'.
  • Move bearer tokens out of request headers handled by the Service Worker, for example by using HttpOnly cookies scoped to the application origin.
bash
# Update Angular Service Worker to a fixed release
npm install @angular/service-worker@22.0.1 --save
# Or for the 21.x line
npm install @angular/service-worker@21.2.17 --save
# Or for the 20.x line
npm install @angular/service-worker@20.3.25 --save

# Rebuild and redeploy the production bundle
ng build --configuration production

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.