Executive Summary

CVE-2026-54264 is an information disclosure vulnerability in the Angular framework's @angular/service-worker package. The issue arises because the Service Worker preserves sensitive metadata, such as Authorization tokens, Proxy-Authorization credentials, or session cookies, when fetching assets. However, during cross-origin redirects, it fails to remove these sensitive headers, which violates the Fetch redirect algorithm.

This flaw allows a remote attacker to trigger a cross-origin redirect to an untrusted external origin and thereby obtain sensitive credentials that should have been protected.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the exposure of sensitive authentication and session information such as Authorization tokens, Proxy-Authorization credentials, and session cookies to untrusted third-party domains.

An attacker can exploit this by causing a cross-origin redirect in the Service Worker fetch process, thereby intercepting these credentials and potentially gaining unauthorized access to user accounts or services.

Such credential leakage can compromise user privacy, lead to account takeover, and undermine the security of applications relying on Angular's service worker.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the @angular/service-worker package to one of the fixed versions: 22.0.1, 21.2.17, or 20.3.25.

These versions include a fix that strips sensitive headers such as Authorization, Cookie, and Proxy-Authorization during cross-origin redirects, preventing sensitive credential leakage.

Ensuring your application uses these patched versions will align the service worker's behavior with the Fetch API redirect algorithm and protect against this information disclosure vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows sensitive credentials such as Authorization tokens, Proxy-Authorization credentials, or session cookies to be exposed to untrusted external origins during cross-origin redirects. This exposure of sensitive information can lead to violations of security best practices and potentially compromise confidentiality requirements mandated by common standards and regulations like GDPR and HIPAA.

The fix implemented in Angular's service worker strips sensitive headers during cross-origin redirects, aligning with the Fetch API's redirect algorithm and web security standards. This change helps prevent unauthorized disclosure of sensitive data, thereby supporting compliance with regulations that require protection of personal and sensitive information.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the Angular Service Worker preserving sensitive headers such as Authorization, Cookie, and Proxy-Authorization during cross-origin redirects, which should be stripped according to the Fetch redirect algorithm.

To detect this vulnerability on your system or network, you can monitor network traffic for cross-origin redirects initiated by the Angular Service Worker and check if sensitive headers are being sent to untrusted external origins.

Suggested commands include using network traffic analysis tools like curl or browser developer tools to simulate or observe requests with credential headers that trigger cross-origin redirects.

• Use curl with verbose output to follow redirects and observe headers: curl -v -L -H "Authorization: Bearer <token>" <URL>
• Use browser developer tools (Network tab) to inspect requests made by the Angular Service Worker and verify if Authorization, Cookie, or Proxy-Authorization headers are sent during cross-origin redirects.
• Capture network traffic with tools like Wireshark or tcpdump to analyze HTTP headers during redirects for presence of sensitive headers sent to different origins.

If sensitive headers are observed being sent to a different origin during redirects, the system is vulnerable and should be updated to the patched versions (22.0.1, 21.2.17, or 20.3.25).

Useful 0 Not Useful 0