Critical Vulnerabilities in Angular Language Service Extension Expose Developers to Remote Code Execution
Recent discoveries have unveiled multiple high-severity vulnerabilities within the Angular Language Service extension for Visual Studio Code, known as Angular.ng-template. These flaws could potentially allow attackers to execute arbitrary code on developers’ systems through various exploitation methods.
Understanding the Vulnerabilities
The identified vulnerabilities stem from insecure handling of user-controlled inputs and unsafe configuration loading within the extension. Attackers can exploit these weaknesses by leveraging trusted development workflows, such as opening a project or reviewing source code, to execute malicious commands on a developer’s machine.
JSDoc Hover-Based Command Injection
One significant attack vector involves the injection of commands via JSDoc comments. The extension configures its Markdown rendering engine with the isTrusted: true setting, which permits the execution of embedded command URIs within rendered content. However, the Angular language server does not adequately sanitize JSDoc comments before passing them to the renderer. Consequently, an attacker can craft a malicious JSDoc comment containing a command link within a TypeScript or JavaScript file. When a developer hovers over the affected symbol and clicks the link, the embedded command executes directly on the host machine.
Insecure TypeScript SDK Configuration Handling
Another critical issue arises from the insecure handling of the TypeScript SDK (tsdk) configuration. The extension reads tsdk-related settings directly from the workspace’s .vscode/settings.json file without verifying workspace trust or requiring user consent. It then passes this path to the background language server, which dynamically loads the tsserverlibrary.js file using Node.js require(). An attacker can exploit this behavior by placing a malicious tsserverlibrary.js file in a project directory and referencing it through the workspace configuration. When the developer opens the project, the extension silently executes the malicious code during initialization, requiring no user interaction.
Bypassing VS Code’s Workspace Trust Model
These vulnerabilities effectively bypass Visual Studio Code’s Workspace Trust model, designed to prevent the execution of untrusted code. The tsdk-based attack runs automatically when a project is opened, while the JSDoc-based attack requires minimal user interaction, making both pathways highly practical for real-world exploitation.
Potential Consequences
Successful exploitation of these vulnerabilities can lead to complete system compromise, including unauthorized command execution, data access, and persistence. For instance, a developer cloning a seemingly legitimate repository could unknowingly trigger the exploit by simply opening the project in VS Code, allowing the attacker to gain immediate control via a malicious configuration file.
Mitigation Measures
The issues, disclosed under GitHub advisory GHSA-ccq4-xmxr-8hcq, affect all versions before 21.2.4 and have been addressed in the latest patched release. The vulnerabilities are classified as high severity under CVSS v4, with low attack complexity and no privileges required. They are associated with multiple weaknesses, including cross-site scripting, code injection, uncontrolled search path elements, and execution of unverified code.
Recommendations for Developers
Developers are strongly advised to upgrade to version 21.2.4 or later immediately. Additionally, it is crucial to avoid opening untrusted repositories, carefully review workspace configuration files, and follow secure development practices when working with third-party code.
