Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips the strict, client-defined request redirect policy configuration (such as redirect: 'error'), falling back to the browser's default 'follow' strategy. If the target web application makes client-side requests with a strict policy (e.g., expecting a network error instead of automatically following redirects), the service worker will bypass this instruction and automatically follow HTTP 3xx redirects to other destinations. This acts as an unintended proxy/intermediary ("Confused Deputy") and can result in cookie/credential exposure or same-origin session-restricted data leakage if public dynamic routes redirect to sensitive routes. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities
Problem type
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
- CWE-524: Use of Cache Containing Sensitive Information
Affected products
angular
>= 22.0.0-next.0, < 22.0.0-rc.2 - AFFECTED
>= 21.0.0-next.0, < 21.2.15 - AFFECTED
>= 20.0.0-next.0, < 20.3.22 - AFFECTED
>= 19.0.0-next.0, < 19.2.23 - AFFECTED
<= 18.2.14 - AFFECTED
References
https://github.com/angular/angular/security/advisories/GHSA-gv2q-mqqv-365m
https://github.com/angular/angular/pull/67494
GitHub Security Advisories
GHSA-gv2q-mqqv-365m
Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities
https://github.com/advisories/GHSA-gv2q-mqqv-365mAn issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function.
During this reconstruction process, the helper function strips the strict, client-defined request redirect policy configuration (such as redirect: 'error'), falling back to the browser's default 'follow' strategy.
If the target web application makes client-side requests with a strict policy (e.g., expecting a network error instead of automatically following redirects), the service worker will bypass this instruction and automatically follow HTTP 3xx redirects to other destinations. This acts as an unintended proxy/intermediary ("Confused Deputy") and can result in cookie/credential exposure or same-origin session-restricted data leakage if public dynamic routes redirect to sensitive routes.
Impact
Web applications registering the @angular/service-worker package are vulnerable to this redirect-policy bypass if they make safe client-side fetch calls (such as { redirect: 'error' }) to paths matched by a service worker asset group (such as lazy-loaded JavaScript bundles or dynamic public assets) that can return HTTP redirects to authenticated same-origin secure endpoints.
By stripping developer-defined safety boundaries, the service worker allows the browser to transparently query and return data from credentials-guarded resources that should have been blocked at the network barrier.
Attack Preconditions
To successfully exploit this vulnerability, all of the following application states and parameters must concurrently exist:
- Active Angular Service Worker: The target application uses
@angular/service-workerand has an active registration ofngsw-worker.jsinside the client's browser context. - Asset Group Matching: An
assetGroupspattern inngsw-config.jsonencompasses the target dynamic routing endpoint. - Same-Origin Dynamic Redirection: The server routes a public matched asset route to a service that returns an HTTP 3xx redirect pointing to a sensitive, session-restricted same-origin private route (e.g.,
/private/account-summary.json). - Established User Session: The victim user currently has an active authentication state, such as valid same-origin session cookies or auth headers stored by the browser.
- Client-Side Safe Fetch Call: The application initiates an explicit fetch request to the route with safety parameters:
{ redirect: 'error' }.
Mitigations & Workarounds
If upgrading the @angular/service-worker package is not immediately feasible, developers should implement the following defensive measures:
- Avoid Public-to-Private Dynamic Redirection: Refactor the server architecture so that public paths matched by service worker asset groups never issue HTTP 3xx redirects to authenticated same-origin secure endpoints.
- Strict Cookie Configuration: Apply strict flags to session cookies (
SameSite=Strict; Secure; HttpOnly) and consider explicit route isolations (such as subdomains) for credential-guarded private resources. - Exclude Secure Endpoints from SW Config: Verify your
ngsw-config.jsonsettings and ensure that patterns targeting dynamic, secure endpoints are explicitly excluded from automatic asset groups or caching scopes.
Patches
- 22.0.0-rc.2
- 21.2.15
- 20.3.22
- 19.2.23
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-50169Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-50169",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-06-22T17:32:36.408Z",
"dateReserved": "2026-06-03T20:54:20.433Z",
"datePublished": "2026-06-22T15:41:17.125Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-06-22T15:46:26.364Z"
},
"title": "Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities",
"descriptions": [
{
"lang": "en",
"value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips the strict, client-defined request redirect policy configuration (such as redirect: 'error'), falling back to the browser's default 'follow' strategy. If the target web application makes client-side requests with a strict policy (e.g., expecting a network error instead of automatically following redirects), the service worker will bypass this instruction and automatically follow HTTP 3xx redirects to other destinations. This acts as an unintended proxy/intermediary (\"Confused Deputy\") and can result in cookie/credential exposure or same-origin session-restricted data leakage if public dynamic routes redirect to sensitive routes. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23."
}
],
"affected": [
{
"vendor": "angular",
"product": "angular",
"versions": [
{
"version": ">= 22.0.0-next.0, < 22.0.0-rc.2",
"status": "affected"
},
{
"version": ">= 21.0.0-next.0, < 21.2.15",
"status": "affected"
},
{
"version": ">= 20.0.0-next.0, < 20.3.22",
"status": "affected"
},
{
"version": ">= 19.0.0-next.0, < 19.2.23",
"status": "affected"
},
{
"version": "<= 18.2.14",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"cweId": "CWE-200",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')",
"cweId": "CWE-441",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "CWE-524: Use of Cache Containing Sensitive Information",
"cweId": "CWE-524",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/angular/angular/security/advisories/GHSA-gv2q-mqqv-365m",
"name": "https://github.com/angular/angular/security/advisories/GHSA-gv2q-mqqv-365m",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/angular/angular/pull/67494",
"name": "https://github.com/angular/angular/pull/67494",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-06-22T17:32:36.408Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}