Listen to this Post
An issue in the `@angular/service-worker` package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new `Request` object using an internal helper function. During this reconstruction process, the helper function strips explicit client-defined safety parameters: the credentials configuration (such as credentials: 'omit') and the HTTP cache mode configuration (such as cache: 'no-store'). These are reverted back to standard browser-default parameters (credentials: 'same-origin' and default HTTP cache properties). This causes the browser to include active credentials (such as cookies or Authorization headers) on outbound requests where the client-side developer explicitly instructed they should be omitted, leading to potential session leaks. Additionally, it causes private or non-cacheable resources to be cached by the service worker’s engine, making private page states accessible or persistent inside the client’s local cache post-logout.
DailyCVE Form:
Platform: Angular Service Worker
Version: ≤18.2.14, 19.0.0-next.0–19.2.22, 20.0.0-next.0–20.3.21, 21.0.0-next.0–21.2.14, 22.0.0-next.0–22.0.0-rc.1
Vulnerability : Credential & cache stripping
Severity: Moderate
date: 2026-06-15
Prediction: Patch expected 2026-05-29
What Undercode Say:
Check Angular Version
npm list @angular/service-worker
Test Credential Leak
fetch('/api/user', { credentials: 'omit' })
.then(res => res.json())
.then(console.log);
Post-Logout Cache Cleanup
if ('caches' in window) {
caches.keys().then(names => {
for (let name of names) {
if (name.startsWith('ngsw:')) {
caches.delete(name);
}
}
});
}
Exploit:
Attacker forces victim to a public route matched by asset group, triggering SW to fetch authenticated API (e.g., /api/user) without credentials: 'omit', exposing session cookies. Also, `cache: ‘no-store’` ignored, allowing private data to persist post-logout.
Protection:
Upgrade to patched versions (22.0.0-rc.2, 21.2.15, 20.3.22, 19.2.23). Apply strict cookie flags (SameSite=Strict; Secure; HttpOnly). Exclude secure endpoints from `ngsw-config.json` asset groups.
Impact:
Session hijacking, data leakage, and persistent cache of private resources, bypassing logout.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
