CVE-2025-12120
📋 TL;DR
Lite XL versions 2.1.8 and earlier automatically execute Lua code from .lite_project.lua files when opening project directories without user confirmation. This allows attackers to execute arbitrary code by tricking users into opening malicious projects. All Lite XL users who open untrusted project directories are affected.
💻 Affected Systems
- Lite XL
📦 What is this software?
Lite Xl by Lite Xl
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary code execution with the privileges of the Lite XL process, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Local file system access, credential harvesting from the user's environment, or installation of additional malware payloads.
If Mitigated
Limited impact if users only open trusted projects from verified sources and have proper endpoint protection.
🎯 Exploit Status
Exploitation requires user interaction (opening a malicious project) but the technical complexity is low once the malicious file is created.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.9 or later
Vendor Advisory: https://github.com/lite-xl/lite-xl/pull/2164
Restart Required: Yes
Instructions:
1. Download Lite XL version 2.1.9 or later from the official repository. 2. Install the new version, replacing the existing installation. 3. Restart Lite XL to ensure the fix is applied.
🔧 Temporary Workarounds
Disable automatic project file execution
allModify Lite XL configuration to prevent automatic execution of .lite_project.lua files
Edit ~/.config/lite-xl/init.lua and add: core.command_view:add_command('project-open', function() core.open_folder() end) to override default behavior
Remove execute permissions from project files
allMake .lite_project.lua files non-executable at the system level
chmod -x .lite_project.lua (Linux/macOS)
attrib -R .lite_project.lua (Windows)
🧯 If You Can't Patch
- Only open projects from trusted sources and verify .lite_project.lua files before opening directories
- Use Lite XL in a sandboxed environment or virtual machine when working with untrusted projects
🔍 How to Verify
Check if Vulnerable:
Check Lite XL version: if version is 2.1.8 or earlier, the system is vulnerableCheck Version:
lite-xl --versionVerify Fix Applied:
Verify Lite XL version is 2.1.9 or later and test that opening a project directory with a .lite_project.lua file no longer executes it automatically📡 Detection & Monitoring
Log Indicators:
- Unexpected Lua execution errors in Lite XL logs
- Creation or modification of .lite_project.lua files in unexpected locations
Network Indicators:
- Downloads of project files from untrusted sources followed by Lite XL process execution
SIEM Query:
Process Creation where Image ends with 'lite-xl.exe' AND CommandLine contains '--project' OR File Creation where TargetFilename ends with '.lite_project.lua'