A vulnerability has been discovered in Lite XL, a lightweight text editor, that could allow attackers to execute arbitrary code on affected systems.
Carnegie Mellon University experts identified CVE-2025-12120, which affects Lite XL versions 2.1.8 and earlier. The flaw exists in how Lite XL handles project configuration files.
How the Vulnerability Works
When users open a project directory, Lite XL automatically runs the .lite_project.lua file without asking for user confirmation.
This file is intended for project-specific settings and configurations, but it may contain executable Lua code.
The problem occurs because there is no verification step before execution. Users expect the configuration file to be harmless, but attackers can embed malicious Lua code within it.
Suppose an unsuspecting user opens a malicious project directory. In that case, this code runs immediately with the same privileges as the Lite XL application.
| CVE ID | Product | Affected Versions | Vulnerability Type |
|---|---|---|---|
| CVE-2025-12120 | Lite XL Text Editor | 2.1.8 and earlier | Arbitrary Code Execution (ACE) |
An attacker could distribute a seemingly legitimate project folder via GitHub, file-sharing services, or other platforms.
When a developer opens this project in Lite XL, the embedded malicious.lite_project, lua file executes silently.
The attacker could then steal sensitive data, modify files, install malware, or further compromise the user’s system.
This type of attack is hazardous because users often trust projects from known sources or repositories without carefully inspecting configuration files.
Any user running Lite XL version 2.1.8 or earlier is vulnerable, as reported by researchers at Carnegie Mellon University.
The impact depends on the user’s system permissions. In most cases, the attacker gains the same privileges as the Lite XL process, which could be significant if Lite XL runs with elevated permissions.
Users should immediately update Lite XL to a patched version as soon as it becomes available, and avoid opening untrusted project directories in Lite XL.
Inspect the contents of any .lite_project.lua file before opening projects from unknown sources. This vulnerability demonstrates the importance of understanding how applications handle configuration files, especially when they contain executable code.
Lite XL maintainers should implement confirmation prompts before executing project configuration files or turn off automatic execution entirely.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
