Angular: Remote Code Execution via JSDoc Hover Command Injection in VS Code Angular Language Service Extension
Description
The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. the client-side Angular Language Service VS Code extension configures the tooltip Markdown renderer with the isTrusted: true option (located in client/src/client.ts). This setting instructs VS Code to trust all rendered content it receives, which enables active elements such as command: URIs. However, the background Angular Language Server process fails to escape or sanitize brackets, raw links, and control characters from JSDoc strings before forwarding the hover Markdown content (located in server/src/handlers/hover.ts and server/src/text_render.ts). An attacker can leverage this behavior by crafting a project TypeScript or JavaScript file (or a third-party npm package dependency) containing a malicious JSDoc tooltip with an embedded active command link. When a developer hovers over the target symbol to render the tooltip and clicks the malicious link, the IDE executes the command sequence directly on the developer's host machine. Prior to 21.2.4, This vulnerability is fixed in 21.2.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <21.2.4
Patches
Vulnerability mechanics
Root cause
"The client-side Markdown renderer is configured with isTrusted: true, and the server-side JSDoc processing does not escape or sanitize brackets, raw links, or control characters, allowing injection of active command: URIs."
Attack vector
An attacker crafts a TypeScript or JavaScript file (or a third-party npm package dependency) containing a malicious JSDoc tooltip with an embedded active `command:` URI link. When a developer opens the project workspace and hovers over the target symbol, the extension renders the tooltip Markdown with `isTrusted: true`, making the link clickable. If the developer clicks the malicious link, the IDE executes the command sequence directly on the developer's host machine, bypassing VS Code's Workspace Trust model [ref_id=1].
Affected code
The vulnerability resides in the Angular Language Service VS Code extension. The client-side file `client/src/client.ts` sets `isTrusted: true` on the Markdown renderer, enabling active `command:` URIs. The server-side files `server/src/handlers/hover.ts` and `server/src/text_render.ts` fail to escape or sanitize brackets, raw links, and control characters from JSDoc strings before forwarding hover Markdown content [ref_id=1].
What the fix does
The advisory states that upgrading to version 21.2.4 fixes the vulnerability. Two referenced patches harden JSDoc Markdown trust and document opening (PR #68858) and disable the language server in untrusted workspaces (PR #68886). The fix ensures that JSDoc strings are properly sanitized before being rendered as Markdown and that the extension does not trust content from untrusted workspaces, preventing active `command:` URIs from being executed [ref_id=1].
Preconditions
- configThe victim must have the Angular Language Service extension (Angular.ng-template, version prior to 21.2.4) active in their workspace.
- inputThe developer must open a code folder or install a package dependency containing a TS/JS file with a JSDoc payload containing a formatted link and active command: URI parameters.
- authThe developer must hover over the target symbol to render the Markdown tooltip popup and click the active link inside the balloon bubble.
Generated on Jun 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/angular/angular/security/advisories/GHSA-q94j-3wj3-4xcmmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.