CVE-2026-54264
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.
An Information Exposure vulnerability (CVE-2026-54264) has been identified in the @angular/service-worker package where on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm.
Per OWASP, this vulnerability falls under Sensitive Data Exposure. Sensitive Data Exposure occurs when an application improperly protects confidential information, allowing unauthorized users to access data that should remain restricted. Sensitive information may be disclosed through application responses, logs, error messages, client-side code, or other accessible resources, potentially enabling attackers to obtain credentials, personal information, system details, or other confidential data that could be used to facilitate further attacks.
This issue affects multiple versions of Angular.
Details
Module Info
- Product: Angular
- Affected packages: @angular/service-worker
- Affected versions:
- >= 22.0.0-next.0 < 22.0.1
- >= 21.0.0-next.0 < 21.2.17
- >= 20.0.0-next.0 < 20.3.25
- <= 19.2.25
- GitHub repository: https://github.com/angular/angular
- Published packages: https://www.npmjs.com/package/@angular/service-worker
- Package manager: npm
- Fixed in:
- OSS Angular v22.0.1, v21.2.17, v20.3.25
Vulnerability Info
This High-severity vulnerability is found in the @angular/service-worker package in multiple published versions of Angular.
When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm.
This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin.
Mitigation
Angular versions prior to 19 were already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see here.
Users of the affected components should apply one of the following mitigations:
- Migrate affected applications to a patched version of Angular.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.