CVE-2025-12120
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-12120, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-20

Last updated on: 2025-12-10

Assigner: CERT/CC

Description

Lite XL versions 2.1.8 and prior automatically execute the .lite_project.lua file when opening a project directory, without prompting the user for confirmation. The .lite_project.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow execution of untrusted Lua code if a user opens a malicious project, potentially leading to arbitrary code execution with the privileges of the Lite XL process.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-20
Last Modified
2025-12-10
Generated
2026-07-06
AI Q&A
2025-11-20
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
lite-xl lite_xl to 2.1.8 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Lite XL versions 2.1.8 and earlier automatically run the .lite_project.lua file when a project directory is opened, without asking the user for permission. This file is meant for project-specific settings but can contain executable Lua code. Because of this, if a user opens a malicious project containing a crafted .lite_project.lua file, it could execute harmful code with the same permissions as the Lite XL application.

Impact Analysis

This vulnerability can lead to arbitrary code execution on your system with the privileges of the Lite XL process. If you open a malicious project, the embedded Lua code could perform unauthorized actions, potentially compromising your system's security and data.

Mitigation Strategies

To mitigate this vulnerability, avoid opening untrusted or suspicious project directories in Lite XL versions 2.1.8 and prior. Consider upgrading to a version of Lite XL that addresses this issue if available. Additionally, review and restrict access to .lite_project.lua files to prevent execution of untrusted Lua code.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12120. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart