Critical RCE Vulnerabilities Uncovered in Angular Language Service VS Code Extension

Security researchers have identified a series of high-severity vulnerabilities within the Angular Language Service VS Code extension (Angular.ng-template).

These flaws create a significant opening for Remote Code Execution (RCE), potentially allowing an attacker to hijack a developer’s workstation simply by tricking them into opening a malicious project or inspecting compromised code. These vulnerabilities are formally documented under GitHub Advisory GHSA-ccq4-xmxr-8hcq.

The affected versions include all releases prior to 21.2.4. If you are an Angular developer, upgrading to the latest version is not just recommended—it is critical for maintaining the integrity of your local development environment.

Technical Deep Dive: The Anatomy of the Attack

The vulnerabilities arise from two distinct architectural weaknesses: improper sanitization of user-controlled metadata and the unsafe resolution of external binaries during the extension’s initialization phase.

1. Markdown Command Injection via JSDoc

The first vector exploits how the extension renders tooltips. When a developer hovers over a symbol in a TypeScript or JavaScript file, the Angular Language Server pulls information from JSDoc comments to generate a rich-text preview using Markdown.

Because the extension’s Markdown renderer is configured in a “trusted mode,” it is capable of processing command: URIs. The core issue is that the Language Server fails to sanitize the content within these JSDoc comments. An attacker can embed a malicious URI inside a comment; when a developer hovers over the affected symbol and interacts with the rendered Markdown, the command is executed on the host operating system.

2. Unsanitized TypeScript SDK (tsdk) Path Injection

The second, and arguably more dangerous, flaw involves the handling of the tsdk configuration. VS Code allows developers to specify a custom path for the TypeScript SDK within the .vscode/settings.json file to ensure version consistency across a team.

The Angular Language Service reads these paths directly from the workspace settings without verifying the VS Code Workspace Trust status or prompting the user for permission. These paths are subsequently passed to a background Node.js process, which dynamically loads a tsserverlibrary.js file from the provided directory.

An attacker can weaponize this by including a malicious tsserverlibrary.js file inside a repository and modifying the local settings to point to it. The moment a developer opens the workspace, the extension automatically loads and executes the malicious script. This attack is particularly insidious because it occurs silently, requiring zero user interaction after the project is opened.

Security Implications and Impact

Both of these exploits effectively bypass the built-in security protections of VS Code’s Workspace Trust model. By turning routine developer workflows—such as cloning a new repository, performing a code review, or auditing third-party dependencies—into entry points for RCE, the attack surface of the modern software supply chain is significantly expanded.

From a classification standpoint, these flaws touch upon several critical weaknesses:

  • CWE-94: Code Injection
  • CWE-427: Uncontrolled Search Path
  • CWE-494: Download of Code Without Integrity Check
  • CWE-79: Cross-Site Scripting (in the context of Markdown rendering)

The CVSS v4 assessment reflects a high-severity profile, characterized by low complexity, no required user privileges, and a network-based attack vector.

Remediation and Best Practices

To secure your environment, please follow these immediate steps:

  1. Update Immediately: Ensure the Angular Language Service extension is updated to version 21.2.4 or higher.
  2. Enforce Workspace Trust: Never “Trust” a repository unless you have verified its origin. Use VS Code’s Restricted Mode when exploring unfamiliar codebases.
  3. Audit Workspace Settings: Be wary of projects that include complex or unusual configurations within the .vscode/ directory.
  4. Organizational Defense: Security teams should consider implementing policies that restrict the execution of unverified extensions and monitor for anomalous process spawns originating from IDE-related Node.js instances.

Staying vigilant against these “silent” supply chain attacks is essential as development tools become more integrated and powerful.

Related Articles

Back to top button