Lite XL, a lightweight text editor popular among developers, contains two critical vulnerabilities that could allow attackers to execute arbitrary code on affected systems.
The flaws were disclosed on November 11, 2025, affecting all versions prior to 2.1.8.
The Vulnerabilities
The first vulnerability, identified as CVE-2025-12120, involves the automatic execution of .lite_project.lua files without user confirmation.
When users open a project directory in Lite XL, the editor automatically runs the project configuration file containing Lua code.
This creates a significant security risk: opening a malicious project can execute untrusted code with the same privileges as the text editor itself.
An attacker could distribute a compromised project repository, deceiving users into cloning it and unknowingly running malicious code.
The second flaw, CVE-2025-12121, exists in the legacy system.exec function used throughout the application.
This function constructs shell commands without proper sanitization, enabling arbitrary command execution.
The vulnerable function appears in multiple locations, including project launching, drag-and-drop file handling, and the treeview plugin.
Attackers exploiting this weakness could execute system commands with full editor privileges, potentially compromising the entire host system.
These vulnerabilities pose serious threats to developers working with untrusted codebases.
A malicious actor could inject code into open-source repositories or send crafted project files to unsuspecting users.
Once opened in Lite XL, the attack executes automatically, requiring no further user interaction beyond opening the project.
Users must update Lite XL immediately to versions incorporating security patches. The fixes include PR #1472, which implements trust guards for project modules, and PR #1473, which removes the unsafe legacy exec function entirely.
These patches prevent automatic code execution and eliminate dangerous methods for constructing shell commands.
| CVE ID | Vulnerability | Type | Affected Versions | CVSS Score | Fix |
|---|---|---|---|---|---|
| CVE-2025-12120 | Automatic .lite_project.lua Execution | Arbitrary Code Execution | Lite XL 2.1.8 and prior | High | PR #1472 |
| CVE-2025-12121 | Legacy system.exec Function | Arbitrary Command Execution | Lite XL 2.1.8 and prior | High | PR #1473 |
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1068,580&ssl=1&description=Lite XL, a lightweight text editor popular among developers, contains two critical vulnerabilities that could allow attackers to execute arbitrary code on affected systems.){kind=link}