CVE-2025-12120
BaseFortify
Publication date: 2025-11-20
Last updated on: 2025-12-10
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lite-xl | lite_xl | to 2.1.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Lite XL versions 2.1.8 and earlier automatically run the .lite_project.lua file when a project directory is opened, without asking the user for permission. This file is meant for project-specific settings but can contain executable Lua code. Because of this, if a user opens a malicious project containing a crafted .lite_project.lua file, it could execute harmful code with the same permissions as the Lite XL application.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution on your system with the privileges of the Lite XL process. If you open a malicious project, the embedded Lua code could perform unauthorized actions, potentially compromising your system's security and data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid opening untrusted or suspicious project directories in Lite XL versions 2.1.8 and prior. Consider upgrading to a version of Lite XL that addresses this issue if available. Additionally, review and restrict access to .lite_project.lua files to prevent execution of untrusted Lua code.