CISA issues advisory on Lite XL vulnerabilities enabling arbitrary code execution

Lite XL, a cross-platform text editor built on Link Utilization Analyzer (LUA) and C, contains two vulnerabilities that enable arbitrary code execution within the context of the application process.

The first issue, tracked as CVE-2025-12120, affects Lite XL versions 2.1.8 and earlier. The application automatically runs the .lite_project.LUA file upon project directory opening without user notification. Since this file can contain executable LUA code intended for project-specific settings, opening a malicious project could execute unauthorized LUA scripts. The second vulnerability, CVE-2025-12121, involves the system.exec function in the same versions. This function constructs shell commands without proper sanitization, and is invoked during project directory launch (core.LUA), drag-and-drop file processing (rootview.LUA), and the “open in system” action within the treeview plugin (treeview.LUA). If an attacker can control inputs to system.exec, they may execute arbitrary shell commands with the privileges of Lite XL.

For CVE-2025-12120, the automatic execution of a project's LUA module can lead to unconsented code running when opening projects. CVE-2025-12121 allows execution of arbitrary shell commands via the vulnerable system.exec usage, which presents a compromise risk to the running system.

Lite XL releases up to and including version 2.1.8 are impacted by these weaknesses.

The vulnerabilities are addressed in updated Lite XL versions incorporating pull requests #1472 and #1473. PR #1472 introduces a trust mechanism to restrict project module execution. PR #1473 removes the legacy system.exec function entirely. These changes prevent untrusted projects from executing LUA code automatically and eliminate unsafe system command calls.

It is advised to upgrade to the latest Lite XL version which includes these corrections to prevent automatic execution of untrusted LUA scripts and unsafe shell command execution paths.