CVE-2025-12120
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-20

Last updated on: 2025-12-10

Assigner: CERT/CC

Description
Lite XL versions 2.1.8 and prior automatically execute the .lite_project.lua file when opening a project directory, without prompting the user for confirmation. The .lite_project.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow execution of untrusted Lua code if a user opens a malicious project, potentially leading to arbitrary code execution with the privileges of the Lite XL process.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-20
Last Modified
2025-12-10
Generated
2026-06-16
AI Q&A
2025-11-20
EPSS Evaluated
2026-06-14
NVD
CVE-2025-12120
EUVD
EUVD-2025-198295
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lite-xl lite_xl to 2.1.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Lite XL versions 2.1.8 and earlier automatically run the .lite_project.lua file when a project directory is opened, without asking the user for permission. This file is meant for project-specific settings but can contain executable Lua code. Because of this, if a user opens a malicious project containing a crafted .lite_project.lua file, it could execute harmful code with the same permissions as the Lite XL application.

Impact Analysis

This vulnerability can lead to arbitrary code execution on your system with the privileges of the Lite XL process. If you open a malicious project, the embedded Lua code could perform unauthorized actions, potentially compromising your system's security and data.

Mitigation Strategies

To mitigate this vulnerability, avoid opening untrusted or suspicious project directories in Lite XL versions 2.1.8 and prior. Consider upgrading to a version of Lite XL that addresses this issue if available. Additionally, review and restrict access to .lite_project.lua files to prevent execution of untrusted Lua code.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12120. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart