Angular Language Service Extension Flaws Allow Remote Code Execution

Multiple high-severity remote code execution vulnerabilities were discovered in the Angular Language Service VS Code extension (patched in version 21.2.4). Attackers can exploit a JSDoc hover Markdown command injection and an unsafe tsdk loading mechanism to execute arbitrary code — the latter can run silently during workspace initialization and both bypass VS Code Workspace Trust. Developers are advised to upgrade immediately, review workspace settings, avoid untrusted repositories, and enforce strict trust policies.