@angular/service-worker: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker
- When
- Where
- Global (internet)
- Category
- cyber_advisory · npm
An information disclosure vulnerability exists in the `@angular/service-worker` package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm. This allows a remote attacker to obtain sensitive credentials (e.g., `Authorization` tokens, `Proxy-Authorization` credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin. ### Impact If an application configured with the Angular Service Worker fetches assets with credential headers (such as `Authorization` header), and one of those requests is redirected to a different origin, the Service Worker will forward those headers to the new origin. This exposes critical credentials and session identifiers to unauthorized third-party servers. ### Attack Preconditions For this vulnerability to be exploitable: 1. **Vulnerable Configuration:** The application must utilize the `@angular/service-worker` package to fetch assets. 2. **Credentialed Requests:** The application must attach sensitive request headers (like `Authorization`, `Proxy-Authorization`, or rely on cookies) to asset-group requests. 3. **Redirect Flow:** These requests must encounter a cross-origin redirect to an attacker-controlled or untrusted domain. ### Patched Versions * 22.0.1 * 21.2.17 * 20.3.25 ### Credits This vulnerability was discovered and reported by [CodeMender from Google DeepMind](https://deepmind.google/blog/introducing-codemender-an-ai-agent-for-code-security/).
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-15 17:25 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.