Lite XL, a lightweight text editor written in Lua and C that runs on Windows, Linux, and macOS, has been found to contain a high vulnerability that could enable arbitrary code execution.
Security researchers have identified flaws in how the editor handles project configuration files, potentially exposing users to malicious code execution when opening untrusted projects.
| CVE ID | Affected Versions | Vulnerability Type | CVSS Score |
|---|---|---|---|
| CVE-2025-12120 | 2.1.8 and prior | Arbitrary Code Execution via Automatic .lua Execution | High |
Lite XL is designed for extensibility through plugins and project-specific modules, making it a popular choice among developers seeking a customizable editing environment.
However, this flexibility has introduced a significant security risk through two recently disclosed vulnerabilities affecting versions 2.1.8 and earlier.
Critical Vulnerability Details
The primary security flaw, tracked as CVE-2025-12120, stems from Lite XL’s automatic execution of .lite_project.lua files without user confirmation.
When users open a project directory, Lite XL automatically loads and executes the project’s Lua configuration module.
This behavior, while intended for legitimate project-specific configuration, creates an attack vector for malicious actors.
An attacker can craft a malicious project containing a specially crafted .lite_project.lua file containing executable Lua code.
When an unsuspecting user opens this project in Lite XL, the malicious code executes automatically with the same privileges as the Lite XL process itself.
This could allow attackers to gain unauthorized access to system resources, steal sensitive data, or compromise the user’s development environment.
The vulnerability is particularly concerning because users may clone repositories from sources they believe to be trustworthy or may download project archives from collaborative platforms without realizing the potential threat posed by embedded Lua code.
The seamless, automatic execution means users face no warning or opportunity to review the code before it runs.
The security implications are substantial for developers who work with multiple projects from various sources.
An attacker could leverage this vulnerability to establish persistent access, exfiltrate source code or credentials, inject backdoors into ongoing projects, or launch supply chain attacks by compromising developer machines.
The risk amplifies in team environments where developers collaborate on projects pulled from various repositories.
The Lite XL development team has addressed these vulnerabilities through two critical pull requests. PR #1472 implements a trust guard mechanism for project modules, preventing untrusted projects from automatically executing Lua code.
PR #1473 removes the legacy exec function that posed additional security risks. These fixes ensure that projects cannot execute code without explicit user authorization.
Users are strongly encouraged to update to the latest version of Lite XL immediately. The updated version introduces security prompts that require users to approve execution of the project module before the code runs.
This additional layer of user confirmation helps prevent accidental execution of malicious code.
Security researcher Dogus Demirkiran reported the vulnerabilities, which were independently identified by GitHub user Summertime.
The collaborative disclosure process highlights the importance of responsible vulnerability reporting in protecting developer communities.
Developers using Lite XL should prioritize updating to the patched version and exercise caution when opening projects from untrusted sources until the update is deployed across their development environments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.