Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm. This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
Angular: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker
Problem type
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
Affected products
angular
>= 22.0.0-next.0 < 22.0.1 - AFFECTED
>= 21.0.0-next.0 < 21.2.17 - AFFECTED
>= 20.0.0-next.0 < 20.3.25 - AFFECTED
<= 19.2.25 - AFFECTED
References
https://github.com/angular/angular/security/advisories/GHSA-qxh6-94w6-9r5p
https://github.com/angular/angular/pull/69029
https://github.com/angular/angular/commit/47d68dcb26266316647133ab6385e77fc3e5ae08
GitHub Security Advisories
GHSA-qxh6-94w6-9r5p
@angular/service-worker: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker
https://github.com/advisories/GHSA-qxh6-94w6-9r5pAn information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm.
This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin.
Impact
If an application configured with the Angular Service Worker fetches assets with credential headers (such as Authorization header), and one of those requests is redirected to a different origin, the Service Worker will forward those headers to the new origin. This exposes critical credentials and session identifiers to unauthorized third-party servers.
Attack Preconditions
For this vulnerability to be exploitable:
- Vulnerable Configuration: The application must utilize the
@angular/service-workerpackage to fetch assets. - Credentialed Requests: The application must attach sensitive request headers (like
Authorization,Proxy-Authorization, or rely on cookies) to asset-group requests. - Redirect Flow: These requests must encounter a cross-origin redirect to an attacker-controlled or untrusted domain.
Patched Versions
- 22.0.1
- 21.2.17
- 20.3.25
Credits
This vulnerability was discovered and reported by CodeMender from Google DeepMind.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-54264Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-54264",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-06-22T15:32:48.163Z",
"dateReserved": "2026-06-12T17:13:32.279Z",
"datePublished": "2026-06-22T15:32:48.163Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-06-22T15:32:48.163Z"
},
"title": "Angular: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker",
"descriptions": [
{
"lang": "en",
"value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm. This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25."
}
],
"affected": [
{
"vendor": "angular",
"product": "angular",
"versions": [
{
"version": ">= 22.0.0-next.0 < 22.0.1",
"status": "affected"
},
{
"version": ">= 21.0.0-next.0 < 21.2.17",
"status": "affected"
},
{
"version": ">= 20.0.0-next.0 < 20.3.25",
"status": "affected"
},
{
"version": "<= 19.2.25",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"cweId": "CWE-200",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
"cweId": "CWE-359",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/angular/angular/security/advisories/GHSA-qxh6-94w6-9r5p",
"name": "https://github.com/angular/angular/security/advisories/GHSA-qxh6-94w6-9r5p",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/angular/angular/pull/69029",
"name": "https://github.com/angular/angular/pull/69029",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/angular/angular/commit/47d68dcb26266316647133ab6385e77fc3e5ae08",
"name": "https://github.com/angular/angular/commit/47d68dcb26266316647133ab6385e77fc3e5ae08",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
}
}
}