Experts from Carnegie Mellon University discovered a flaw in Lite XL, a lightweight text editor, that permits arbitrary code execution (ACE). This vulnerability arises when users open project directories, causing the application to automatically run the .lite_project.lua file without any user confirmation. The file, intended for configuration settings, might harbor malicious code that executes with the same privileges as Lite XL when accessed by unsuspecting users.
The CVE-2025-12120 concern affects all users running Lite XL version 2.1.8 or earlier. Attackers can share a seemingly legitimate project folder containing a malicious .lite_project.lua file, leading to silent execution once the folder is opened. This vulnerability places user data at risk, allowing attackers to steal sensitive information, modify files, and install harmful software on compromised systems. Users are urged to upgrade to a patched version promptly and to be cautious when opening project directories from untrusted sources. Implementing confirmation prompts before executing project files can enhance security against such threats.
👉 Pročitaj original: Cyber Security News
