GHSA-qxh6-94w6-9r5p

An information disclosure vulnerability exists in the `@angular/service-worker` package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm.

This allows a remote attacker to obtain sensitive credentials (e.g., `Authorization` tokens, `Proxy-Authorization` credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin.

### Impact If an application configured with the Angular Service Worker fetches assets with credential headers (such as `Authorization` header), and one of those requests is redirected to a different origin, the Service Worker will forward those headers to the new origin. This exposes critical credentials and session identifiers to unauthorized third-party servers.

### Attack Preconditions For this vulnerability to be exploitable: 1. **Vulnerable Configuration:** The application must utilize the `@angular/service-worker` package to fetch assets. 2. **Credentialed Requests:** The application must attach sensitive request headers (like `Authorization`, `Proxy-Authorization`, or rely on cookies) to asset-group requests. 3. **Redirect Flow:** These requests must encounter a cross-origin redirect to an attacker-controlled or untrusted domain.

### Patched Versions * 22.0.1 * 21.2.17 * 20.3.25

### Credits This vulnerability was discovered and reported by [CodeMender from Google DeepMind](https://deepmind.google/blog/introducing-codemender-an-ai-agent-for-code-security/).