Angular Service Worker – Redirect Policy Bypass (GHSA‑gv2q‑mqqv‑365m – Moderate) -DC-Jun2026-400

By /

Listen to this Post

Intro

When the Angular Service Worker (SW) intercepts a network request that matches an asset group, it internally reconstructs a fresh `Request` object. A helper function inside `ngsw-worker.js` is responsible for this reconstruction. In versions prior to the fixed releases, that helper strips any developer‑supplied `redirect` policy from the original request – e.g., { redirect: 'error' }. Instead, the rebuilt request silently falls back to the browser’s default `’follow’` behaviour.
Because the SW sits as an intermediary between the page and the network, the stripped policy never reaches the browser’s fetch engine. If the original request specified `redirect: ‘error’` to treat any HTTP 3xx response as a fatal network error, the SW effectively discards that safety instruction. The SW then follows the redirect as if no special policy had ever been set.
This creates a “confused deputy” scenario: the SW acts as an unintended proxy that overrides the application’s explicit security boundary. A public dynamic route that returns a 302 or 307 redirect pointing to a sensitive, authenticated same‑origin endpoint (e.g., /private/account-summary.json) will be transparently followed. The browser attaches existing session cookies and credentials, leaking data that should never have been reached.
The vulnerability is triggered only when all of the following conditions hold: an active Angular SW is registered, the targeted path belongs to an asset group defined in ngsw-config.json, the server issues a same‑origin HTTP redirect from a public route to a restricted private route, a valid user session exists, and the application makes a fetch call with { redirect: 'error' }.
Patches were released in versions 22.0.0‑rc.2, 21.2.15, 20.3.22, and 19.2.23.

DailyCVE Form:

Platform: Angular Service Worker
Version: affected <22.0.0‑rc.2 etc.
Vulnerability : redirect policy bypass
Severity: Moderate
date: 2026‑06‑15

Prediction: 2026‑05‑28

What Undercode Say

Analyse service‑worker redirect behaviour with bash and JavaScript snippets:

Check currently registered SW version (devtools console)
$ curl -s https://example.com/ngsw-worker.js | grep -E "version|hash"

// Simulate a fetch call that the SW will intercept
fetch('/public/route', { redirect: 'error' })
.then(res => console.log('Response status:', res.status))
.catch(err => console.error('Error (expected with redirect:error):', err));

List asset groups defined in ngsw-config.json
$ cat ngsw-config.json | jq '.assetGroups[].resources.files'

Monitor live SW intercepts (Chrome) – look for 3xx followed despite redirect:error
$ chrome://net-export/

Exploit

  1. Attacker identifies a public path (e.g., /public‑redirect‑point) that is matched by an asset group in ngsw-config.json.
  2. Attacker ensures that this path returns an HTTP 302 redirect to a private endpoint, e.g. /private/session.json.
  3. Victim, authenticated with valid session cookies, visits a page that triggers fetch('/public‑redirect‑point', { redirect: 'error' }).
  4. The Angular Service Worker reconstructs the request, discards the `redirect: ‘error’` policy, and follows the 302 transparently.
  5. Browser sends the request to `/private/session.json` with all credentials, returning sensitive data that should have been blocked.

Protection

  • Upgrade to 22.0.0‑rc.2, 21.2.15, 20.3.22 or 19.2.23.
  • If upgrading not possible:
  • Refactor server to avoid 3xx redirects from asset‑group‑matched public paths to authenticated private routes.
  • Harden cookies with SameSite=Strict; Secure; HttpOnly.
  • Exclude sensitive endpoints from asset groups in ngsw-config.json.

Impact

Unintended credential/authentication‑context leakage; a “confused deputy” bypass that lets a service worker override developer‑intended fetch policies, enabling data exfiltration from session‑restricted same‑origin resources that were meant to remain unreachable.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top