Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities
Description
Angular Service Worker strips client-defined redirect policies during request reconstruction, enabling credential exposure via same-origin redirects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Angular Service Worker strips client-defined redirect policies during request reconstruction, enabling credential exposure via same-origin redirects.
Vulnerability
An issue in the @angular/service-worker package (all versions prior to the 2026-06-15 patch) compromises the integrity of request-policy enforcement. When the service worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function newRequestWithMetadata(). This helper strips the strict, client-defined redirect policy configuration (e.g., redirect: 'error'), falling back to the browser's default 'follow' strategy [1][2]. The bug affects applications that register an active Angular Service Worker and define assetGroups patterns in ngsw-config.json that encompass dynamic endpoints that may return HTTP 3xx redirects [1].
Exploitation
An attacker must first identify a target web application that meets three preconditions: (1) an active Angular Service Worker (ngsw-worker.js) is registered in the client browser; (2) an assetGroups pattern in ngsw-config.json matches a dynamic routing endpoint; (3) that endpoint can, under attacker influence or through normal operation, issue a same-origin HTTP redirect to an authenticated secure endpoint (e.g., a session-restricted API) [1][2]. No client-side user interaction beyond the normal fetch call is required; the service worker automatically processes the request and follows the redirect because it ignores the redirect: 'error' policy set by the application. The attacker must be able to trigger the redirect (e.g., via a compromised public redirect, a path that redirects after a certain action, or by luring a user to a crafted link).
Impact
Successful exploitation results in the browser transparently following the redirect and returning data from credentials-guarded (same-origin) resources that should have been blocked at the network barrier. This acts as an unintended proxy or "Confused Deputy", leading to potential cookie or credential exposure, or same-origin session-restricted data leakage [1][2]. The impact is limited to same-origin scenarios; the attacker gains access to authenticated resources but does not escalate privileges beyond what the redirected endpoint provides.
Mitigation
The fix was implemented in pull request #67494 and is available in the latest versions of @angular/service-worker as of June 15, 2026 [3]. The patch preserves the redirect mode when rebuilding asset requests in newRequestWithMetadata(), ensuring that explicit redirect: 'error' semantics are respected [3]. All users should update to the patched version immediately. There is no workaround for unpatched versions other than disabling the service worker or ensuring no asset group pattern covers any dynamic endpoint that could return a redirect.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
157a07d005842refactor(service-worker): remove unnecessary cast in mock redirect check
1 file changed · +1 −1
packages/service-worker/worker/testing/mock.ts+1 −1 modified@@ -166,7 +166,7 @@ export class MockServerState { const url = req.url.split('?')[0]; if (this.resources.has(url)) { const response = this.resources.get(url)!.clone(); - if ((response as any).redirected && req.redirect === 'error') { + if (response.redirected && req.redirect === 'error') { throw new Error('Redirect disallowed by request policy.'); } return response;
Vulnerability mechanics
Root cause
"The Angular service worker's internal request-reconstruction helper discards the client-defined `redirect` policy, falling back to the browser's default `'follow'` and bypassing the intended safety boundary."
Attack vector
An attacker must set up a scenario where a public dynamic route matched by a service worker `assetGroups` pattern returns an HTTP 3xx redirect to a sensitive same-origin endpoint. When the victim's client-side code issues a `fetch()` with `{ redirect: 'error' }` to that route, the Angular service worker intercepts the request, reconstructs a new `Request` object without preserving the `redirect` policy, and the browser automatically follows the redirect. This bypasses the intended safety barrier and can leak session-restricted data (e.g., account summaries) from the target endpoint.
Affected code
The vulnerability resides in the `@angular/service-worker` package: the internal request-reconstruction helper function used when the service worker intercepts network requests discards the client-specified `redirect` policy (e.g., `'error'`), falling back to the browser default `'follow'`. The patch modifies the test mock file `packages/service-worker/worker/testing/mock.ts` to use the typed `Response.redirected` property, but the core fix must be in the production request-handling code that preserves the redirect configuration.
What the fix does
The patch (commit `57a07d005842f4d7d5d20a29896058f376fa0e13`) removes an unnecessary `(response as any)` cast and uses the typed `Response.redirected` property directly in the service-worker test mock. However, the advisory indicates the real production fix is in the internal request-reconstruction helper that must preserve the client's `redirect` configuration (e.g., `'error'`) instead of falling back to the default `'follow'`. Without that preservation, the service worker acts as an unintended proxy that overrides the application's safety policy.
Preconditions
- configThe target application has an active `@angular/service-worker` registration (e.g., `ngsw-worker.js`).
- configAn `assetGroups` pattern in `ngsw-config.json` matches the dynamic routing endpoint.
- networkThe server returns an HTTP 3xx redirect from the matched public route to a sensitive same-origin endpoint.
- authThe victim has an active authenticated session (cookies or auth headers).
- inputThe client-side application issues a `fetch()` call with `{ redirect: 'error' }` to the matched route.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.