Severity by source
CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Four simultaneous preconditions required (AC:H); victim must use the app (UI:R); same-origin credential leakage only (C:L); no integrity or availability impact.
Primary rating from Vendor (https://github.com/angular/angular).
CVSS VectorVendor: https://github.com/angular/angular
CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function.
During this reconstruction process, the helper function strips explicit client-defined safety parameters: the credentials configuration (such as credentials: 'omit') and the HTTP cache mode configuration (such as cache: 'no-store'). These are reverted back to standard browser-default parameters (credentials: 'same-origin' and default HTTP cache properties).
This causes the browser to include active credentials (such as cookies or Authorization headers) on outbound requests where the client-side developer explicitly instructed they should be omitted, leading to potential session leaks. Additionally, it causes private or non-cacheable resources to be cached by the service worker's engine, making private page states accessible or persistent inside the client's local cache post-logout.
Impact
Web applications registering the @angular/service-worker package are vulnerable to credential exposure or post-logout cache persistence if client-side code relies on fetch calls with explicit safety attributes (such as { credentials: 'omit' } or { cache: 'no-store' }) targeting paths matched by service worker asset groups.
By stripping these safety boundaries, the service worker exposes same-origin cookies and dynamic sensitive data to endpoints that should not receive them, or retains dynamic user sessions in cache storage where logout operations fail to fully evict user records.
Attack Preconditions
To successfully exploit this vulnerability, all of the following application states and parameters must concurrently exist:
- Active Angular Service Worker: The target application uses
@angular/service-workerand has an active registration ofngsw-worker.jsinside the client's browser context. - Asset Group Matching: An
assetGroupspattern inngsw-config.jsonencompasses the target dynamic routing endpoint. - Established User Session: The victim user currently has an active authentication state, such as valid same-origin session cookies or auth headers stored by the browser.
- Client-Side Safe Fetch Call: The application initiates an explicit fetch request to the route with safety parameters:
{ credentials: 'omit' }or specific cache control parameters (e.g.{ cache: 'no-store' }).
Mitigations & Workarounds
If upgrading the @angular/service-worker package is not immediately feasible, developers should implement the following defensive measures:
- Strict Cookie Configuration: Apply strict flags to session cookies (
SameSite=Strict; Secure; HttpOnly) and ensure complete route isolation for credential-guarded secure resources. - Exclude Secure Endpoints from SW Config: Ensure that patterns targeting dynamic, secure endpoints are explicitly excluded from automatic asset groups or caching scopes in your
ngsw-config.json. - Post-Logout Cache Invalidation: Programmatically purge the browser's Cache Storage API entries registered by the Angular Service Worker upon user logout:
if ('caches' in window) {
caches.keys().then(names => {
for (let name of names) {
if (name.startsWith('ngsw:')) {
caches.delete(name);
}
}
});
}Patches
- 22.0.0-rc.2
- 21.2.15
- 20.3.22
- 19.2.23
AnalysisAI
Request credential and cache policy stripping in @angular/service-worker (versions 19.x through 22.x pre-release) causes the service worker's internal request reconstruction logic to silently discard explicit developer-defined safety parameters, replacing credentials: 'omit' with the browser default credentials: 'same-origin' and overriding cache: 'no-store' with default cache behavior. This results in two distinct failure modes: session cookies and Authorization headers are transmitted to same-origin endpoints that were explicitly designed to receive anonymous requests, and private or sensitive HTTP responses are stored in the browser's Cache Storage under ngsw: prefixed keys where they persist after user logout. No public exploit identified at time of analysis and no CISA KEV listing; vendor-released patches are available across all active major branches.
Technical ContextAI
The flaw resides in the AssetGroup class within packages/service-worker/worker/src/assets.ts of the @angular/service-worker npm package (CPE: pkg:npm/@angular_service-worker). Angular's service worker intercepts fetch events matching URL patterns defined in assetGroups within ngsw-config.json, then reconstructs a new Request object via an internal helper before forwarding it to the network or cache. Prior to the fix, this helper preserved only HTTP headers and redirect policy - it explicitly omitted credentials and cache mode, reverting both to browser defaults. The Fetch API's credentials: 'omit' is a W3C-standard directive that prevents cookies and HTTP authentication headers from being attached to a request; cache: 'no-store' prevents the HTTP cache from storing the response. By discarding these directives during reconstruction, the rebuilt Request inherits credentials: 'same-origin', causing the browser to attach any in-scope cookies or auth headers. The root cause is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) - the service worker's own interception layer becomes the mechanism that undermines the application's intended security posture. The code fix in PR #68904 adds conditional logic: if the original request carried credentials: 'omit', that value is preserved in the RequestInit object; similarly, if a cache mode was explicitly set, it is forwarded rather than dropped.
RemediationAI
Upgrade @angular/service-worker to a vendor-released patched version corresponding to your active major branch: 19.2.23 for 19.x, 20.3.22 for 20.x, 21.2.15 for 21.x, or 22.0.0-rc.2 for the 22.x pre-release line. The upstream fix is documented in GitHub PR #68904 (https://github.com/angular/angular/pull/68904) and modifies AssetGroup's internal request reconstruction helper in assets.ts to conditionally forward credentials: 'omit' and explicit cache mode values. If immediate upgrade is not feasible, three compensating controls are available with noted trade-offs. First, exclude sensitive dynamic endpoints from assetGroups patterns in ngsw-config.json - this prevents the service worker from intercepting those requests entirely, eliminating the stripping behavior at the cost of losing caching benefits for those routes; ensure exclusion patterns are specific enough not to break other application functionality. Second, apply SameSite=Strict; Secure; HttpOnly cookie attributes to session tokens, which reduces the blast radius of same-origin credential leakage though it does not prevent the service worker from forwarding credentials. Third, on user logout, programmatically purge Angular Service Worker cache entries using the Cache Storage API: iterate caches.keys() and delete all entries with the ngsw: prefix - this mitigates post-logout persistence but does not address live credential forwarding during active sessions. Full advisory is at https://github.com/angular/angular/security/advisories/GHSA-95qp-cmmw-mgqv.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38296
GHSA-95qp-cmmw-mgqv