search menu icon-carat-right cmu-wordmark
Carnegie Mellon University
Please be aware that VINCE will be down for maintenance from 12 noon EST until 4 PM EST on November 19, 2025.

Software Engineering Institute

CERT Coordination Center

Lite XL Arbitrary Code Execution via Project Module and Legacy system.exec Function

Vulnerability Note VU#579478

Original Release Date: 2025-11-11 | Last Revised: 2025-11-11

Overview

Lite XL is a lightweight text editor derived from the lite project, written primarily in Lua and C. It supports Windows, Linux, and macOS, and is designed for extensibility through plugins and project‑specific modules.

Description

Two vulnerabilities were identified Lite XL:

CVE-2025-12120
Lite XL versions 2.1.8 and prior automatically execute the .lite_project.lua file when opening a project directory, without prompting the user for confirmation. The .lite_project.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow execution of untrusted Lua code if a user opens a malicious project, potentially leading to arbitrary code execution with the privileges of the Lite XL process.

CVE-2025-12121
Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. This function was used in project directory launching (core.lua), drag-and-drop file handling (rootview.lua), and the “open in system” command in the treeview plugin (treeview.lua). If an attacker could influence input to system.exec, they might execute arbitrary commands with the privileges of the Lite XL process.

Impact

CVE-2025-12120
When opening a project in Lite XL, the project’s Lua module was executed automatically, potentially allowing malicious code in a repository to run without user consent.

CVE-2025-12121
The legacy system.exec function allowed arbitrary shell command execution, which could be abused to compromise the host system.

Affected versions

Lite XL versions 2.1.8 and prior

Solution

Users should update to the latest version of Lite XL that includes these pull requests:

PR #1472 – Adds in a trust guard for project modules.
PR #1473 – Removed legacy exec function.

These updates ensure that untrusted projects cannot automatically execute Lua code and that unsafe system calls are no longer available.

Acknowledgements

Thanks to the reporter Dogus Demirkiran for reporting these vulnerabilities. Additional thanks to GitHub user Summertime for also identifying CVE-2025-12120 and opening Issue #1892 on GitHub. This document was written by Marisa Midler.

Vendor Information

579478
 
Expand all

Lite XL Unknown

Notified:  2025-10-15 Updated: 2025-11-11

CVE-2025-12120 Unknown
CVE-2025-12121 Unknown

Vendor Statement

We have not received a statement from the vendor.


References

Other Information

CVE IDs: CVE-2025-12120 CVE-2025-12121
API URL: VINCE JSON | CSAF
Date Public: 2025-11-11
Date First Published: 2025-11-11
Date Last Updated: 2025-11-11 16:51 UTC
Document Revision: 1

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis