Description
The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. Prior to 21.2.4, the client-side Angular Language Service VS Code extension reads the custom TypeScript SDK paths typescript.tsdk and js/ts.tsdk.path directly from workspace configurations (.vscode/settings.json) without verifying VS Code Workspace Trust state or asking for user consent (located in client/src/client.ts). The client-side extension then passes the parsed settings path as a command-line argument (--tsdk) to the background Node.js language server process. During server initialization, the background language server resolves and dynamically imports (via standard Node.js require()) the module library tsserverlibrary.js relative to the workspace-specified custom directory path. An attacker can exploit this behavior by committing a repository containing a local malicious tsserverlibrary.js script inside a custom folder, and a crafted .vscode/settings.json file pointing to that folder. When a developer opens the repository folder in VS Code, the extension automatically attempts to initialize and load the server, which dynamically resolves, loads, and executes the malicious script silently in the background. This vulnerability is fixed in 21.2.4.
Published: 2026-06-22
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Angular Language Service VS Code Extension reads the user‑supplied TypeScript SDK path from the workspace configuration without checking VS Code’s Workspace Trust or requesting permission. It then passes that path to the background Node.js language server as a command‑line argument. The language server resolves and dynamically imports the module tsserverlibrary.js from the specified directory. An attacker can create a repository containing a malicious tsserverlibrary.js and a crafted settings file pointing to it. When a developer opens the repository, the extension automatically loads and executes the attacker’s script, leading to remote code execution in the user’s environment. This flaw permits full compromise of the developer’s machine and any services accessed by the extension.

Affected Systems

All installations of the Angular Language Service VS Code Extension prior to version 21.2.4 are vulnerable. The issue affects the angular:angular product used by developers who enable the extension in VS Code workspaces that contain a custom tsdk path specified in .vscode/settings.json.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.7, indicating high severity. The EPSS score is not available, so the likelihood of exploitation cannot be quantified, but the exploitation path requires only that a malicious repository be opened in VS Code—a scenario that can easily occur in collaborative or open‑source environments. The flaw is not yet listed in CISA’s KEV catalog, but given its RCE nature it should be treated with high urgency.

Generated by OpenCVE AI on June 22, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Angular Language Service VS Code Extension to version 21.2.4 or later.
  • Ensure that the extension is only enabled in trusted workspaces by configuring the Workspace Trust settings in VS Code.
  • Avoid setting custom TypeScript SDK paths in untrusted or public repositories; if necessary, limit the directory to trusted code or remove the setting before opening the workspace.

Generated by OpenCVE AI on June 22, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. Prior to 21.2.4, the client-side Angular Language Service VS Code extension reads the custom TypeScript SDK paths typescript.tsdk and js/ts.tsdk.path directly from workspace configurations (.vscode/settings.json) without verifying VS Code Workspace Trust state or asking for user consent (located in client/src/client.ts). The client-side extension then passes the parsed settings path as a command-line argument (--tsdk) to the background Node.js language server process. During server initialization, the background language server resolves and dynamically imports (via standard Node.js require()) the module library tsserverlibrary.js relative to the workspace-specified custom directory path. An attacker can exploit this behavior by committing a repository containing a local malicious tsserverlibrary.js script inside a custom folder, and a crafted .vscode/settings.json file pointing to that folder. When a developer opens the repository folder in VS Code, the extension automatically attempts to initialize and load the server, which dynamically resolves, loads, and executes the malicious script silently in the background. This vulnerability is fixed in 21.2.4.
Title Angular: Multiple Remote Code Execution Vulnerabilities in Angular Language Service VS Code Extension
Weaknesses CWE-427
CWE-494
CWE-79
CWE-94
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T15:16:14.945Z

Reserved: 2026-05-28T14:33:01.177Z

Link: CVE-2026-49241

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T16:30:08Z

Weaknesses
  • CWE-427

    Uncontrolled Search Path Element

  • CWE-494

    Download of Code Without Integrity Check

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')