Angular Language Service Flaws Enable Remote Code Execution

Developers face the risk of remote code execution (RCE) attacks due to a set of high-severity vulnerabilities identified in the Angular Language Service Visual Studio Code extension (Angular.ng-template). These flaws present multiple exploitation paths.

The vulnerabilities arise from insecure handling of user-controlled input and unsafe configuration loading within the extension.

Researchers found that attackers can exploit trusted development workflows, such as opening a project or reviewing source code, to execute arbitrary commands on a developer’s system.

Angular Extension Vulnerabilities

One of the key attack vectors involves JSDoc hover-based command injection.

The extension configures its Markdown rendering engine with the “isTrusted: true” setting, which allows execution of embedded command URIs inside rendered content.

However, the Angular language server fails to properly sanitize JSDoc comments before passing them to the renderer. As a result, an attacker can craft a malicious JSDoc comment containing a command link within a TypeScript or JavaScript file.

When a developer hovers over the affected symbol and clicks the link, the embedded command is executed directly on the host machine.

A second critical issue involves insecure handling of the TypeScript SDK (tsdk) configuration. The extension reads tsdk-related settings directly from the workspace’s .vscode/settings.json file without verifying workspace trust or requiring user consent.

It then passes this path to the background language server, which dynamically loads the tsserverlibrary.js file using Node.js require().

An attacker can exploit this behavior by placing a malicious tsserverlibrary.js file in a project directory and referencing it through the workspace configuration.

When the developer opens the project, the extension silently executes the malicious code during initialization, requiring no user interaction.

These vulnerabilities effectively bypass VS Code’s Workspace Trust model, which is designed to prevent execution of untrusted code.

The tsdk-based attack runs automatically when a project is opened. In contrast, the JSDoc-based attack requires minimal user interaction, making both pathways highly practical for real-world exploitation.

Successful attacks can result in complete system compromise, including unauthorized command execution, data access, and persistence.

For example, a developer cloning a seemingly legitimate repository could unknowingly trigger the exploit by simply opening the project in VS Code, allowing the attacker to gain immediate control via a malicious configuration file.

The issues, disclosed under GitHub advisory GHSA-ccq4-xmxr-8hcq, affect all versions before 21.2.4 and have been addressed in the latest patched release.

The vulnerabilities are classified as high severity under CVSS v4, with low attack complexity and no privileges required.

They are associated with multiple weaknesses, including cross-site scripting, code injection, uncontrolled search path elements, and execution of unverified code. Developers are strongly advised to upgrade to version 21.2.4 or later immediately.

In addition, it is critical to avoid opening untrusted repositories, carefully review workspace configuration files, and follow secure development practices when working with third-party code.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.