Multiple Angular Language Service Extension Vulnerabilities Enable RCE Attacks

HomeCyber Security News Multiple Angular Language Service Extension Vulnerabilities Enable RCE Attacks By Abinaya May 26, 2026 A set of high-severity vulnerabilities has been identified in the Angular Language Service Visual Studio Code extension (Angular.ng-template), potentially exposing developers to remote code execution (RCE) attacks through multiple exploitation paths. The vulnerabilities arise from insecure handling of user-controlled input and unsafe configuration loading within the extension. Researchers found that attackers can exploit trusted development workflows, such as opening a project or reviewing source code, to execute arbitrary commands on a developer’s system. Angular Extension Vulnerabilities One of the key attack vectors involves JSDoc hover-based command injection. The extension configures its Markdown rendering engine with the “isTrusted: true” setting, which allows execution of embedded command URIs inside rendered content. However, the Angular language server fails to properly sanitize JSDoc comments before passing them to the renderer. As a result, an attacker can craft a malicious JSDoc comment containing a command link within a TypeScript or JavaScript file. When a developer hovers over the affected symbol and clicks the link, the embedded command is executed directly on the host machine. A second critical issue involves insecure handling of the TypeScript SDK (tsdk) configuration. The extension reads tsdk-related settings directly from the workspace’s .vscode/settings.json file without verifying workspace trust or requiring user consent. It then passes this path to the background language server, which dynamically loads the tsserverlibrary.js file using Node.js require(). An attacker can exploit this behavior by placing a malicious tsserverlibrary.js file in a project directory and referencing it through the workspace configuration. When the developer opens the project, the extension silently executes the malicious code during initialization, requiring no user interaction. These vulnerabilities effectively bypass VS Code’s Workspace Trust model, which is designed to prevent execution of untrusted code. The tsdk-based attack runs automatically when a project is opened. In contrast, the JSDoc-based attack requires minimal user interaction, making both pathways highly practical for real-world exploitation. Successful attacks can result in complete system compromise, including unauthorized command execution, data access, and persistence. For example, a developer cloning a seemingly legitimate repository could unknowingly trigger the exploit by simply opening the project in VS Code, allowing the attacker to gain immediate control via a malicious configuration file. The issues, disclosed under GitHub advisory GHSA-ccq4-xmxr-8hcq, affect all versions before 21.2.4 and have been addressed in the latest patched release. The vulnerabilities are classified as high severity under CVSS v4, with low attack complexity and no privileges required. They are associated with multiple weaknesses, including cross-site scripting, code injection, uncontrolled search path elements, and execution of unverified code. Developers are strongly advised to upgrade to version 21.2.4 or later immediately. In addition, it is critical to avoid opening untrusted repositories, carefully review workspace configuration files, and follow secure development practices when working with third-party code. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Microsoft Releases Mitigation for Windows BitLocker Security Bypass 0-Day Vulnerability PinTheft Linux Vulnerability Let Attackers Gain Root Access – PoC Released BadIIS Malware Turns Hijacks IIS Servers and Redirect Users to Illicit Sites Critical Drupal Core Security Vulnerability Exposes Websites to Cyberattack Ubiquiti Patches Critical UniFi OS Vulnerabilities Allowing Remote Privilege Escalation Latest News Cyber Security News Quasar Linux RAT Targets Developers With Fileless Execution and eBPF Rootkit Cyber Security News China-Linked Hackers Target Southeast Asian Edge Routers With Custom Linux Implant Cyber Security Microsoft Defender Now Automatically Isolates Compromised Devices to Stop Ransomware Cyber Security Microsoft SharePoint Server Vulnerability Enables Remote Code Execution Attacks Cyber Security News NightSpire Ransomware Uses RDP Access and Remote Admin Tools for Stealthy Persistence