Impact
The @angular/service-worker package fails to preserve client‑defined request options when it reconstructs a Request object for intercepted assets. Credentials settings such as credentials: 'omit' and cache options like cache: 'no-store' are reset to the browser defaults (credentials: 'same-origin' and the browser default cache). As a result, sensitive headers or cookies may be sent unintentionally and private page data may be cached by the service worker, allowing session secrets to leak or private content to remain cached after logout.
Affected Systems
Angular, specifically the @angular/service-worker package, is affected in all releases older than 22.0.0‑rc.2, 21.2.15, 20.3.22, and 19.2.23. Users running these earlier versions on websites that register a service worker are vulnerable. The issue is fixed in the quoted releases.
Risk and Exploitability
The vulnerability carries a CVSS score of 5.7, indicating a moderate risk. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector likely requires the user to access a web application that registers a service worker and invokes affected assets; an attacker could observe leaked credentials or cached private data during that interaction.
OpenCVE Enrichment
Github GHSA