diff --git a/packages/docusaurus-plugin-pwa/src/sw.ts b/packages/docusaurus-plugin-pwa/src/sw.ts
index ec46930f8..65d4a56a4 100644
--- a/packages/docusaurus-plugin-pwa/src/sw.ts
+++ b/packages/docusaurus-plugin-pwa/src/sw.ts
@@ -105,13 +105,22 @@ function getPossibleURLs(url: string) {
       for (const possibleURL of possibleURLs) {
         const cacheKey = controller.getCacheKeyForURL(possibleURL);
         if (cacheKey) {
-          const cachedResponse = caches.match(cacheKey) as Promise<Response>;
+          // Sanitize cacheKey to prevent ReDoS or injection
+          // Only allow safe URL characters
+          const safeCacheKey = cacheKey.replace(
+            /[^\w.\-~:/?#[\]@!$&'()*+,;=%]/g,
+            '',
+          );
+          const cachedResponse = caches.match(
+            safeCacheKey,
+          ) as Promise<Response>;
           if (params.debug) {
             console.log('[Docusaurus-PWA][SW]: serving cached asset', {
               requestURL,
               possibleURL,
               possibleURLs,
               cacheKey,
+              safeCacheKey,
               cachedResponse,
             });
           }