Carnegie Mellon University experts identified CVE-2025-12120, which affects Lite XL versions 2.1.8 and earlier. The flaw exists in how Lite XL handles project configuration files.
When users open a project directory, Lite XL automatically runs the .lite_project.lua file without asking for user confirmation.
This file is intended for project-specific settings and configurations, but it may contain executable Lua code.
The problem occurs because there is no verification step before execution. Users expect the configuration file to be harmless, but attackers can embed malicious Lua code within it.
Suppose an unsuspecting user opens a malicious project directory. In that case, this code runs immediately with the same privileges as the Lite XL application.
| CVE ID | Product | Affected Versions | Vulnerability Type |
|---|---|---|---|
| CVE-2025-12120 | Lite XL Text Editor | 2.1.8 and earlier | Arbitrary Code Execution (ACE) |
An attacker could distribute a seemingly legitimate project folder via GitHub, file-sharing services, or other platforms.
When a developer opens this project in Lite XL, the embedded malicious.lite_project, lua file executes silently.
The attacker could then steal sensitive data, modify files, install malware, or further compromise the user’s system.
This type of attack is hazardous because users often trust projects from known sources or repositories without carefully inspecting configuration files.
Any user running Lite XL version 2.1.8 or earlier is vulnerable, as reported by researchers at Carnegie Mellon University.
The impact depends on the user’s system permissions. In most cases, the attacker gains the same privileges as the Lite XL process, which could be significant if Lite XL runs with elevated permissions.
Users should immediately update Lite XL to a patched version as soon as it becomes available, and avoid opening untrusted project directories in Lite XL.
Inspect the contents of any .lite_project.lua file before opening projects from unknown sources. This vulnerability demonstrates the importance of understanding how applications handle configuration files, especially when they contain executable code.
Lite XL maintainers should implement confirmation prompts before executing project configuration files or turn off automatic execution entirely.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Lite XL Text editor Vulnerability Let Attackers Execute Arbitrary Code appeared first on Cyber Security News.
MACHESNEY PARK, Ill. (WTVO) — As the Harlem School District grapples with fixing a budget…
Two men have been charged with first-degree murder in connection with a 2021 deadly shooting…
Journalist Julia Angwin is one of the writers whose likeness was used in Grammarly’s “expert…
The U.S. Supreme Court on Oct. 9, 2024. (Photo by Jane Norman/States Newsroom)WASHINGTON — The…
The folding iPhone might come with an inner display the size of an iPad Mini,…
Humble has teamed up with Frictional Games for a new bundle of PC games that…
This website uses cookies.