AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-qxh6-94w6-9r5p: @angular/service-worker: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker

highvulnerability

security

Source: GitHub Advisory DatabaseJune 15, 2026CVE-2026-54264

Summary

A vulnerability in Angular's Service Worker allows sensitive credentials (like authorization tokens or session cookies) to leak to untrusted websites when the Service Worker follows cross-origin redirects (requests sent to a different domain). The Service Worker fails to remove these sensitive headers when redirecting to another origin, exposing them to attackers.

Solution / Mitigation

Update to one of the patched versions: 22.0.1, 21.2.17, or 20.3.25.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

June 15, 2026

Classification

Attack SophisticationModerate

Affected Packages

@angular/service-worker@<= 19.2.25@angular/service-worker@>= 20.0.0-next.0, < 20.3.25 (fixed: 20.3.25)@angular/service-worker@>= 21.0.0-next.0, < 21.2.17 (fixed: 21.2.17)@angular/service-worker@>= 22.0.0-next.0, < 22.0.1 (fixed: 22.0.1)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-qxh6-94w6-9r5p

First tracked: June 15, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%