CVE-2026-50184

Name of the Vulnerable Software and Affected Versions @angular/service-worker versions prior to 19.2.23 @angular/service-worker versions prior to 20.3.22 @angular/service-worker versions prior to 21.2.15 @angular/service-worker versions prior to 22.0.0-rc.2

Description An issue in the @angular/service-worker package compromises request-policy enforcement during request reconstruction. When the service worker intercepts network requests for matched assets, an internal helper function strips explicit client-defined safety parameters, specifically the credentials configuration (e.g., credentials: 'omit') and the HTTP cache mode configuration (e.g., cache: 'no-store'). These are reverted to browser-default parameters, such as credentials: 'same-origin'.

This behavior causes the browser to include active credentials, like cookies or Authorization headers, in outbound requests where they were explicitly intended to be omitted, potentially leading to session leaks. Furthermore, private or non-cacheable resources may be cached by the service worker engine, allowing private page states to persist in the local cache after a user logs out.

Recommendations Update to version 19.2.23 or later. Update to version 20.3.22 or later. Update to version 21.2.15 or later. Update to version 22.0.0-rc.2 or later. Apply strict flags to session cookies (SameSite=Strict; Secure; HttpOnly) and ensure complete route isolation for credential-guarded secure resources. Exclude patterns targeting dynamic, secure endpoints from automatic asset groups or caching scopes in the ngsw-config.json file. Programmatically purge the browser's Cache Storage API entries registered by the Angular Service Worker upon user logout.