目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1336 CNY

100%
コーヒーを一杯おごる

CVE-2026-50184— Angular Service Worker 请求凭据和缓存策略剥离漏洞

EPSS 0.12% · P2
新しい脆弱性情報の通知を購読するログインして購読

I. CVE-2026-50184の基本情報

脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗

高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。

脆弱性タイトル
Angular: Request Credential & Cache Policy Stripping in Angular Service Worker
ソース: NVD (National Vulnerability Database)
脆弱性説明
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips explicit client-defined safety parameters: the credentials configuration (such as credentials: 'omit') and the HTTP cache mode configuration (such as cache: 'no-store'). These are reverted back to standard browser-default parameters (credentials: 'same-origin' and default HTTP cache properties). This causes the browser to include active credentials (such as cookies or Authorization headers) on outbound requests where the client-side developer explicitly instructed they should be omitted, leading to potential session leaks. Additionally, it causes private or non-cacheable resources to be cached by the service worker's engine, making private page states accessible or persistent inside the client's local cache post-logout. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
ソース: NVD (National Vulnerability Database)
CVSS情報
N/A
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
信息暴露
ソース: NVD (National Vulnerability Database)

影響を受ける製品

ベンダープロダクト影響を受けるバージョンCPE購読
angularangular >= 22.0.0-next.0, < 22.0.0-rc.2 -

II. CVE-2026-50184の公開POC

#POC説明ソースリンクShenlongリンク
AI生成POCプレミアム

公開POCは見つかりませんでした。

ログインしてAI POCを生成

III. CVE-2026-50184のインテリジェンス情報

登录查看更多情报信息。

CVE-2026-50184 其他参考 (2)

Same Patch Batch · angular · 2026-06-22 · 17 CVEs total

CVE-2026-52725Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (X
CVE-2026-54265Angular: Two-Way Property Binding Sanitization Bypass (XSS)
CVE-2026-54268Angular: Denial of Service (DoS) via OOM in Date Formatting (formatDate)
CVE-2026-54266Angular: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Dat
CVE-2026-54264Angular: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker
CVE-2026-54267Angular Client Hydration DOM Clobbering & Response-Cache Poisoning
CVE-2026-49241Angular: Multiple Remote Code Execution Vulnerabilities in Angular Language Service VS Cod
CVE-2026-50171Angular: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)
CVE-2026-50169Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities
CVE-2026-50557Angular: Template and Attribute Namespace Sanitization Bypass (XSS)
CVE-2026-50168Angular: URL Parser Differential in @angular/platform-server leading to SSRF Allowlist Byp
CVE-2026-50556Angular: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scriptin
CVE-2026-50555Angular: Improper Neutralization of Input During Web Page Generation ('Cross-site Scriptin
CVE-2026-50170Angular: Information Leak via Default Caching of Credentialed Requests in HttpTransferCach
CVE-2026-50178Angular: Remote Code Execution via JSDoc Hover Command Injection in VS Code Angular Langua
CVE-2026-46417Angular: SSRF via Hostname Hijacking in @angular/platform-server

IV. 関連脆弱性

同じ製品: angular
同じベンダー: angular
同じ弱点: CWE-200

V. CVE-2026-50184へのコメント

まだコメントはありません

コメントを残す