Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm. This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
References
| Link | Resource |
|---|---|
| https://github.com/angular/angular/commit/47d68dcb26266316647133ab6385e77fc3e5ae08 | Patch |
| https://github.com/angular/angular/pull/69029 | Issue Tracking Patch |
| https://github.com/angular/angular/security/advisories/GHSA-qxh6-94w6-9r5p | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
26 Jun 2026, 19:30
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Angularjs
Angularjs angularjs |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
| CPE | cpe:2.3:a:angularjs:angularjs:22.0.0:rc1:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next0:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:rc2:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next6:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next3:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next11:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:rc3:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next9:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:rc0:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next5:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next2:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next1:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next7:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next10:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next8:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next4:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:22.0.0:next12:*:*:*:*:*:* cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:* |
|
| References | () https://github.com/angular/angular/commit/47d68dcb26266316647133ab6385e77fc3e5ae08 - Patch | |
| References | () https://github.com/angular/angular/pull/69029 - Issue Tracking, Patch | |
| References | () https://github.com/angular/angular/security/advisories/GHSA-qxh6-94w6-9r5p - Third Party Advisory |
22 Jun 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-22 16:16
Updated : 2026-06-26 19:30
NVD link : CVE-2026-54264
Mitre link : CVE-2026-54264
CVE.ORG link : CVE-2026-54264
JSON object : View
Products Affected
angularjs
- angularjs
