VU#579478: Lite XL Arbitrary Code Execution via Project Module and Legacy system.exec Function

Overview

Lite XL is a lightweight text editor derived from the lite project, written primarily in Lua and C. It supports Windows, Linux, and macOS, and is designed for extensibility through plugins and project‑specific modules.

Description

Two vulnerabilities were identified Lite XL:

CVE-2025-12120
Lite XL versions 2.1.8 and prior automatically execute the .lite_project.lua file when opening a project directory, without prompting the user for confirmation. The .lite_project.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow execution of untrusted Lua code if a user opens a malicious project, potentially leading to arbitrary code execution with the privileges of the Lite XL process.

CVE-2025-12121
Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. This function was used in project directory launching (core.lua), drag-and-drop file handling (rootview.lua), and the “open in system” command in the treeview plugin (treeview.lua). If an attacker could influence input to system.exec, they might execute arbitrary commands with the privileges of the Lite XL process.

Impact

CVE-2025-12120
When opening a project in Lite XL, the project’s Lua module was executed automatically, potentially allowing malicious code in a repository to run without user consent.

CVE-2025-12121
The legacy system.exec function allowed arbitrary shell command execution, which could be abused to compromise the host system.

Affected versions

Lite XL versions 2.1.8 and prior

Solution

Users should update to the latest version of Lite XL that includes these pull requests:

PR #1472 – Adds in a trust guard for project modules.
PR #1473 – Removed legacy exec function.

These updates ensure that untrusted projects cannot automatically execute Lua code and that unsafe system calls are no longer available.

Acknowledgements

Thanks to the reporter Dogus Demirkiran for reporting these vulnerabilities. Additional thanks to GitHub user Summertime for also identifying CVE-2025-12120 and opening Issue #1892 on GitHub. This document was written by Marisa Midler.