{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/579478#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nLite XL is a lightweight text editor derived from the lite project, written primarily in Lua and C. It supports Windows, Linux, and macOS, and is designed for extensibility through plugins and project‑specific modules.\r\n\r\n### Description\r\nTwo vulnerabilities were identified Lite XL:\r\n\r\n**CVE-2025-12120**  \r\nLite XL versions 2.1.8 and prior automatically execute the .lite_project.lua file when opening a project directory, without prompting the user for confirmation. The .lite_project.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow execution of untrusted Lua code if a user opens a malicious project, potentially leading to arbitrary code execution with the privileges of the Lite XL process.\r\n\r\n**CVE-2025-12121**  \r\nLite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. This function was used in project directory launching (core.lua), drag-and-drop file handling (rootview.lua), and the “open in system” command in the treeview plugin (treeview.lua). If an attacker could influence input to system.exec, they might execute arbitrary commands with the privileges of the Lite XL process.\r\n\r\n### Impact\r\n**CVE-2025-12120**  \r\n When opening a project in Lite XL, the project’s Lua module was executed automatically, potentially allowing malicious code in a repository to run without user consent.  \r\n\r\n**CVE-2025-12121**  \r\n The legacy system.exec function allowed arbitrary shell command execution, which could be abused to compromise the host system.\r\n\r\n### Affected versions\r\nLite XL versions 2.1.8 and prior\r\n\r\n### Solution\r\nUsers should update to the latest version of Lite XL that includes these pull requests:\r\n\r\n[PR #1472 – Adds in a trust guard for project modules.](https://github.com/lite-xl/lite-xl/pull/1472)  \r\n[PR #1473 – Removed legacy exec function.](https://github.com/lite-xl/lite-xl/pull/1473)  \r\n\r\nThese updates ensure that untrusted projects cannot automatically execute Lua code and that unsafe system calls are no longer available.\r\n\r\n### Acknowledgements\r\nThanks to the reporter Dogus Demirkiran for reporting these vulnerabilities. Additional thanks to GitHub user [Summertime](https://github.com/Summertime) for also identifying CVE-2025-12120 and opening [Issue #1892](https://github.com/lite-xl/lite-xl/issues/1892) on GitHub. This document was written by Marisa Midler.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/579478"},{"url":"https://github.com/lite-xl/lite-xl","summary":"https://github.com/lite-xl/lite-xl"},{"url":"https://github.com/lite-xl/lite-xl/pull/2163","summary":"https://github.com/lite-xl/lite-xl/pull/2163"},{"url":"https://github.com/lite-xl/lite-xl/pull/2164","summary":"https://github.com/lite-xl/lite-xl/pull/2164"},{"url":"https://bend0us.github.io/vulnerabilities/lite-xl-rce/","summary":"https://bend0us.github.io/vulnerabilities/lite-xl-rce/"}],"title":"Lite XL Arbitrary Code Execution via Project Module and Legacy system.exec Function","tracking":{"current_release_date":"2025-11-11T16:51:02+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#579478","initial_release_date":"2025-11-11 16:51:02.710548+00:00","revision_history":[{"date":"2025-11-11T16:51:02+00:00","number":"1.20251111165102.1","summary":"Released on 2025-11-11T16:51:02+00:00"}],"status":"final","version":"1.20251111165102.1"}},"vulnerabilities":[{"title":"Lite XL versions 2.","notes":[{"category":"summary","text":"Lite XL versions 2.1.8 and prior automatically execute the .lite_project.lua file when opening a project directory, without prompting the user for confirmation. The .lite_project.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow execution of untrusted Lua code if a user opens a malicious project, potentially leading to arbitrary code execution with the privileges of the Lite XL process."}],"cve":"CVE-2025-12120","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#579478"}]},{"title":"Lite XL versions 2.","notes":[{"category":"summary","text":"Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. This function was used in project directory launching (core.lua), drag-and-drop file handling (rootview.lua), and the “open in system” command in the treeview plugin (treeview.lua). If an attacker could influence input to system.exec, they might execute arbitrary commands with the privileges of the Lite XL process."}],"cve":"CVE-2025-12121","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#579478"}]}],"product_tree":{"branches":[]}}