Angular Language Service Extension Flaws Allow Remote Code Execution

The Angular Language Service extension, a staple for Angular developers in VS Code, has been found to contain two high‑severity flaws that enable remote code execution. A JSDoc hover vulnerability allows malicious Markdown links to trigger command URIs, while a mis‑handled TypeScript SDK (tsdk) setting lets an attacker supply a rogue tsserverlibrary.js file that the language server loads without verification. Both issues stem from insufficient input sanitization and a trust model that assumes project files are safe, turning a routine code‑review action into a potential attack vector.

The exploitation path is especially concerning because it sidesteps VS Code’s Workspace Trust safeguards, which are designed to isolate untrusted code. By embedding malicious JSDoc comments or configuring a compromised tsdk path, an attacker can achieve full command execution the moment a developer opens the workspace, often without any click. This mirrors recent supply‑chain attacks on developer tooling, highlighting that IDE extensions are an increasingly attractive attack surface. Organizations that standardize on Angular must now treat extension hygiene with the same rigor as third‑party libraries.

The immediate remedy is to upgrade the Angular Language Service to version 21.2.4 or later, which disables the vulnerable code paths. Administrators should also enforce strict workspace‑trust policies, audit .vscode/settings.json files for unexpected tsdk entries, and consider disabling automatic extension loading for unverified repositories. In the longer term, developers and vendors alike need stronger validation of extension‑supplied content and clearer security boundaries within IDEs. As the ecosystem evolves, proactive patch management and supply‑chain monitoring will be essential to keep development environments resilient.