Executive Summary

CVE-2026-50169 is a moderate-severity vulnerability in the Angular Service Worker package (@angular/service-worker) that causes the service worker to ignore client-defined strict redirect policies during request reconstruction.

When the Angular Service Worker intercepts network requests for matched assets, it rebuilds a new Request object but unintentionally strips out strict redirect policies like `redirect: 'error'`. Instead, it defaults to the browser's 'follow' redirect strategy.

This means that if a web application expects a network error on redirects, the service worker will instead follow the redirect automatically, acting as an unintended proxy or 'Confused Deputy'.

This behavior can lead to exposure of sensitive information such as cookies, credentials, or session-restricted data if public dynamic routes redirect to sensitive routes.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by exposing sensitive data such as cookies, credentials, or session-restricted information due to unintended automatic following of HTTP 3xx redirects.

If your web application uses strict client-side redirect policies to prevent automatic redirects and protect sensitive routes, this vulnerability bypasses those protections.

An attacker could exploit this by causing the Angular Service Worker to act as a proxy, potentially leaking sensitive session data when public routes redirect to authenticated or sensitive endpoints.

Exploitation requires an active Angular Service Worker, a matching asset group, same-origin redirection to sensitive routes, an authenticated user session, and client-side fetch calls with strict redirect policies.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves verifying if your system is running a vulnerable version of the Angular Service Worker package (@angular/service-worker) and if the service worker is actively intercepting network requests with strict redirect policies.

You can check the installed version of @angular/service-worker in your project by running the following command in your project directory:

• npm list @angular/service-worker

To detect if the service worker is intercepting requests and potentially bypassing redirect policies, you can monitor network traffic in your browser's developer tools or use command-line tools like curl with strict redirect policies to test the behavior.

For example, using curl to test redirect behavior with the 'error' redirect policy (note: curl does not support redirect policies like browsers, but you can observe redirect behavior):

• curl -I -L --max-redirs 0 https://your-angular-app.example.com/path

Additionally, you can inspect the service worker's fetch event handling in your application to verify if redirect policies are preserved or stripped during request reconstruction.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading the @angular/service-worker package to a patched version where this vulnerability is fixed.

• Upgrade to one of the fixed versions: 19.2.23, 20.3.22, 21.2.15, or 22.0.0-rc.2 or later.

If upgrading immediately is not possible, apply temporary mitigations such as:

• Avoid public-to-private dynamic redirection in your application routes.
• Apply strict cookie configurations to limit exposure.
• Exclude secure or sensitive endpoints from service worker interception by adjusting the service worker configuration.

Useful 0 Not Useful 0