A vulnerability has been found in Lite XL, a light-weight textual content editor, that might permit attackers to execute arbitrary code on affected methods.
Carnegie Mellon College specialists recognized CVE-2025-12120, which impacts Lite XL variations 2.1.8 and earlier. The flaw exists in how Lite XL handles mission configuration information.
How the Vulnerability Works
When customers open a mission listing, Lite XL routinely runs the .lite_project.lua file with out asking for person affirmation.
This file is meant for project-specific settings and configurations, however it could include executable Lua code.
The issue happens as a result of there is no such thing as a verification step earlier than execution. Customers count on the configuration file to be innocent, however attackers can embed malicious Lua code inside it.
Suppose an unsuspecting person opens a malicious mission listing. In that case, this code runs instantly with the identical privileges because the Lite XL software.
CVE IDProductAffected VersionsVulnerability TypeCVE-2025-12120Lite XL Textual content Editor2.1.8 and earlierArbitrary Code Execution (ACE)
An attacker might distribute a seemingly official mission folder through GitHub, file-sharing providers, or different platforms.
When a developer opens this mission in Lite XL, the embedded malicious.lite_project, lua file executes silently.
The attacker might then steal delicate information, modify information, set up malware, or additional compromise the person’s system.
One of these assault is hazardous as a result of customers usually belief tasks from identified sources or repositories with out rigorously inspecting configuration information.
Any person working Lite XL model 2.1.8 or earlier is susceptible, as reported by researchers at Carnegie Mellon College.
The affect will depend on the person’s system permissions. Normally, the attacker positive aspects the identical privileges because the Lite XL course of, which could possibly be important if Lite XL runs with elevated permissions.
Customers ought to instantly replace Lite XL to a patched model as quickly because it turns into accessible, and keep away from opening untrusted mission directories in Lite XL.
Examine the contents of any .lite_project.lua file earlier than opening tasks from unknown sources. This vulnerability demonstrates the significance of understanding how functions deal with configuration information, particularly after they include executable code.
Lite XL maintainers ought to implement affirmation prompts earlier than executing mission configuration information or flip off computerized execution solely.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
