Lite XL Pre-Auth RCE via Auto-Exec Lua and system.exec (CVE-2025-12120/12121)

Key Vulnerability Information from the Screenshot Vulnerability IDs CVE-2025-12120 CVE-2025-12121 Affected Software and Versions Software: Lite XL (a lightweight text editor) Affected Versions: 2.1.8 and prior Vulnerability Details CVE-2025-12120 Description: Lite XL versions 2.1.8 and prior automatically execute the file when opening a project directory, without user confirmation. This file can contain executable Lua logic, leading to potential arbitrary code execution with the privileges of the Lite XL process. Impact: Allows execution of untrusted Lua code if a malicious project is opened. CVE-2025-12121 Description: Lite XL versions 2.1.8 and prior contain a vulnerability in the function, allowing arbitrary command execution through unsanitized shell command construction. Impact: Can be exploited to execute arbitrary commands with the privileges of the Lite XL process. Solution Recommended Action: Users should update to the latest version of Lite XL that includes the following pull requests: - PR #1472: Adds in a trust guard for project modules. - PR #1473: Removed legacy exec function. Additional Information References: - https://github.com/lite-xl/lite-xl - https://github.com/lite-xl/lite-xl/pull/2163 - https://github.com/lite-xl/lite-xl/pull/2164 - https://bend0us.github.io/vulnerabilities/lite-xl-rce/ Contributors: - Reporter: Dogus Demirkiran - Additional thanks to GitHub user Summertime API URL: VINCE JSON

目標達成 すべての支援者に感謝 — 100%達成しました！

Lite XL Pre-Auth RCE via Auto-Exec Lua and system.exec (CVE-2025-12120/12121)

目標達成すべての支援者に感謝 — 100%達成しました！