FHN 
Angular Language Service Vulnerabilities have exposed developers to serious remote code execution risks through malicious VS Code projects and unsafe extension behavior.
The issues affect the Angular.ng-template extension and stem from unsafe handling of user-controlled input and insecure loading of configuration files. Researchers warned that simply opening a malicious project in VS Code could be enough to trigger an attack.
The vulnerabilities mainly target developers working with Angular projects and could lead to full system compromise if exploited successfully.
Malicious JSDoc Comments Can Trigger Command Execution
One of the vulnerabilities involves the way the extension processes JSDoc comments inside TypeScript and JavaScript files.
Researchers found that the extension enables trusted Markdown rendering, allowing embedded command links to run inside hover previews. Because the Angular language server does not properly sanitize JSDoc content, attackers can insert malicious command URIs into project files.
In a possible attack scenario:
- An attacker adds a malicious JSDoc comment to a project
- The developer opens the file in VS Code
- Hovering over the affected symbol displays the malicious link
- Clicking the link executes commands on the host system
This creates a practical path for remote code execution through normal development workflows.
Workspace Configuration Flaw Allows Silent Code Execution
A second vulnerability affects how the extension handles the TypeScript SDK (tsdk) configuration.
The extension reads settings directly from the project’s .vscode/settings.json file and loads the specified tsserverlibrary.js file without properly checking workspace trust or requesting user approval.
Attackers can abuse this behavior by:
- Placing a malicious
tsserverlibrary.jsfile inside the repository - Modifying workspace settings to reference the file
- Triggering automatic execution when the project is opened
Unlike the JSDoc attack, this method requires no user interaction and can run silently during extension initialization.
Researchers noted that this behavior effectively bypasses VS Code’s Workspace Trust protections, which are intended to prevent untrusted projects from executing code automatically.
High Risk for Developers
Successful exploitation could allow attackers to:
- Execute arbitrary system commands
- Access sensitive development data
- Install persistent malware
- Compromise developer environments
A developer cloning and opening a malicious repository could unknowingly trigger the attack immediately after loading the project in VS Code.
The vulnerabilities were disclosed under GitHub advisory GHSA-ccq4-xmxr-8hcq and impact all extension versions before 21.2.4.
The issues have now been fixed in the latest release, and developers are strongly advised to upgrade immediately.
Security Recommendations
To reduce risk, developers should:
- Update Angular Language Service to version
21.2.4or later - Avoid opening untrusted repositories
- Carefully review
.vscode/settings.jsonfiles - Use VS Code Workspace Trust features
- Monitor suspicious extension behavior
- Follow secure coding and repository validation practices
The findings highlight growing security risks targeting software development environments and trusted developer tools.
About the Author
