Full Report
Lite XL, a lightweight text editor written in Lua and C that runs on Windows, Linux, and macOS, has been found to contain a high vulnerability that could enable arbitrary code execution. Security researchers have identified flaws in how the editor handles project configuration files, potentially exposing users to malicious code execution when opening untrusted […] The post Lite XL Vulnerability Allows Attackers to Execute Arbitrary Code appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Analysis Summary
# Vulnerability: Arbitrary Code Execution via Automatic Project File Loading in Lite XL
## CVE Details
- CVE ID: CVE-2025-12120
- CVSS Score: High (Specific score not provided, but context indicates 'High' severity)
- CWE: CWE-94 (Improper Control of Generation of Code ('Code Injection')) (Inferred based on arbitrary Lua execution)
## Affected Systems
- Products: Lite XL text editor
- Versions: 2.1.8 and prior
- Configurations: Users opening untrusted project configuration files (.lite_project.lua).
## Vulnerability Description
The vulnerability (CVE-2025-12120) stems from Lite XL's default behavior of automatically loading and executing the project configuration file, `.lite_project.lua`, upon opening a project directory, without requiring explicit user confirmation. An attacker can craft a malicious project containing executable Lua code within this file. When an unsuspecting user opens the project, the malicious Lua code executes automatically with the privileges of the Lite XL process. This allows for Arbitrary Code Execution (ACE).
## Exploitation
- Status: PoC available (Implied by security researcher disclosure, although not explicitly stated as public PoC)
- Complexity: Low (Automatic execution upon opening without interaction)
- Attack Vector: Local (Requires the user to open a specially crafted project file, often via cloning a repository or downloading an archive).
## Impact
- Confidentiality: High (Potential for unauthorized access, data exfiltration)
- Integrity: High (Ability to inject backdoors or modify ongoing projects/environment)
- Availability: Medium (Potential for denial of service, though ACE is the primary threat)
## Remediation
### Patches
- Updates addressing this vulnerability introduce security prompts requiring explicit user approval before project modules execute code.
- Specific patched version is not detailed, but users must update beyond version 2.1.8. (Implied fix via PR #1472 and PR #1473)
### Workarounds
- Avoid opening untrusted or unknown project directories in Lite XL.
- Review project configuration files for executable code before opening projects, if upgrading is not immediately possible.
## Detection
- Indicators of Compromise: Unexpected process execution originating from the Lite XL process, file modifications within user environments unrelated to editing, or network connections initiated by Lite XL.
- Detection methods and tools: Process monitoring tools configured to flag unusual system calls or file access by the Lite XL executable.
## References
- Security researcher Dogus Demirkiran reported the vulnerability.
- Vendor fixes referenced via pull request numbers: PR #1472 (Trust guard for project modules) and PR #1473 (Removal of legacy `exec` function).
- Independent confirmation link: kb.cert.org/vuls/id/579478 (Defanged)