CVE-2026-49241
Received Received - Intake
Code Execution via Malicious tsserverlibrary.js in Angular Language Service

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. Prior to 21.2.4, the client-side Angular Language Service VS Code extension reads the custom TypeScript SDK paths typescript.tsdk and js/ts.tsdk.path directly from workspace configurations (.vscode/settings.json) without verifying VS Code Workspace Trust state or asking for user consent (located in client/src/client.ts). The client-side extension then passes the parsed settings path as a command-line argument (--tsdk) to the background Node.js language server process. During server initialization, the background language server resolves and dynamically imports (via standard Node.js require()) the module library tsserverlibrary.js relative to the workspace-specified custom directory path. An attacker can exploit this behavior by committing a repository containing a local malicious tsserverlibrary.js script inside a custom folder, and a crafted .vscode/settings.json file pointing to that folder. When a developer opens the repository folder in VS Code, the extension automatically attempts to initialize and load the server, which dynamically resolves, loads, and executes the malicious script silently in the background. This vulnerability is fixed in 21.2.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-49241
EUVD
EUVD-2026-38258
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
angular angular_language_service to 21.2.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-494 The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows arbitrary remote code execution by silently loading and executing malicious scripts from untrusted workspace configurations without user consent or verification. This can lead to unauthorized access, modification, or disruption of data and systems.

Such unauthorized code execution and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and availability.

Specifically, the vulnerability's ability to bypass security measures and execute malicious code could lead to breaches of personal or sensitive data, violating regulatory requirements for protecting such information.

Executive Summary

The vulnerability in the Angular Language Service VS Code Extension (prior to version 21.2.4) arises because the extension reads custom TypeScript SDK paths directly from workspace configuration files without verifying if the workspace is trusted or asking for user consent.

It then passes these paths as command-line arguments to a background Node.js language server, which dynamically loads and executes a module (tsserverlibrary.js) from the specified path.

An attacker can exploit this by committing a repository containing a malicious tsserverlibrary.js script and a crafted .vscode/settings.json file pointing to that script. When a developer opens the repository in VS Code, the extension silently loads and executes the malicious code without warning.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code on a developer's machine without their knowledge or consent simply by opening a malicious repository in VS Code.

Such arbitrary remote code execution can compromise the confidentiality, integrity, and availability of the developer's system and data.

It can lead to unauthorized access, data theft, system manipulation, or disruption of development workflows.

Detection Guidance

This vulnerability involves the Angular Language Service VS Code extension loading malicious scripts from workspace configurations without verifying workspace trust. Detection involves checking if your VS Code workspace contains suspicious or unexpected .vscode/settings.json files that specify custom TypeScript SDK paths (typescript.tsdk or js/ts.tsdk.path) pointing to unusual directories.

You can manually inspect the .vscode/settings.json file in your project folders for suspicious tsdk path entries.

Additionally, monitoring for unexpected Node.js processes spawned by the Angular Language Service extension or unusual file access to tsserverlibrary.js files in workspace directories may help detect exploitation attempts.

While no specific commands are provided in the resources, you can use commands like the following to check for suspicious settings files and tsserverlibrary.js files:

  • Find all .vscode/settings.json files in your workspace: `find . -path '*/.vscode/settings.json'`
  • Search for tsdk path entries in these settings files: `grep -H 'tsdk' **/.vscode/settings.json`
  • Look for tsserverlibrary.js files in your workspace: `find . -name 'tsserverlibrary.js'`
  • Monitor running Node.js processes related to Angular Language Service: `ps aux | grep node` and check command line arguments for --tsdk usage.
Mitigation Strategies

The primary mitigation step is to upgrade the Angular Language Service VS Code extension to version 21.2.4 or later, where this vulnerability is fixed.

This update enforces workspace trust verification before loading custom TypeScript SDK paths and prevents the language server from launching in untrusted workspaces.

Additionally, avoid opening untrusted or suspicious repositories in VS Code without verifying their contents, especially those containing .vscode/settings.json files with custom tsdk paths.

If you must work with untrusted workspaces, ensure that VS Code's Workspace Trust feature is enabled and only grant trust explicitly after careful review.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49241. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart