CVE-2026-50169
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk6th percentile - higher than 6% of all known CVEs
Summary
A vulnerability in the @angular/service-worker package causes the Service Worker to strip strict redirect policies (e.g., redirect: 'error') during request reconstruction, falling back to the browser's default 'follow' behavior. This can lead to unintended following of HTTP 3xx redirects, potentially exposing cookies, credentials, or session-restricted data.
Risk Assessment
The organization risks data leakage if the Angular application enforces strict redirect policies, as the Service Worker may act as an unintended proxy, allowing access to sensitive resources via public dynamic routes.
Recommendation
Immediately update @angular/service-worker to version 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23, depending on the major Angular version in use.
Original NVD description (English source)
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips the strict, client-defined request redirect policy configuration (such as redirect: 'error'), falling back to the browser's default 'follow' strategy. If the target web application makes client-side requests with a strict policy (e.g., expecting a network error instead of automatically following redirects), the service worker will bypass this instruction and automatically follow HTTP 3xx redirects to other destinations. This acts as an unintended proxy/intermediary ("Confused Deputy") and can result in cookie/credential exposure or same-origin session-restricted data leakage if public dynamic routes redirect to sensitive routes. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

