Security of Legacy Notepad++ Versions (CVE-2025-49144)
-
Hello,
With the recent disclosure of CVE-2025-49144, which affects Notepad++ versions prior to 8.8.2, and the availability of a public exploit, I was wondering if there has been any discussion or plan regarding patching older vulnerable versions or restricting access to outdated installers from official sources to help protect users who might unknowingly download them.
Has anyone seen any official communication or thoughts from the development team on this?
Thanks in advance for any insights!
Best regards,
-
@Bhaalthazar, I personally think the vulnerability is minor. It either depends on people downloading a Notepad++ update from somewhere other than the official Notepad++ site or it depends on a potential victim’s machine to already be infected with a virus that in turn needs to jump through an elaborate set of hoops to take advantage the CVE-2025-49144 vulnerability.
-
@Bhaalthazar said in Security of Legacy Notepad++ Versions (CVE-2025-49144):
patching older vulnerable versions
I can’t comment on the rest of what you said, but I can confidently state that the Notepad++ developers do not release patches on older versions of Notepad++; they only issue new versions. If a user needs a version of Notepad++ that includes a fix to an old bug, their only option is to update to a newer version.
This has always been the case and I see no reason to expect that it will ever change, because Notepad++ does not have nearly enough regular contributors (nor do those contributors have enough time) to manage multiple versions simultaneously.
-
@mkupper & @Mark-Olson, thanks a lot for your reply, that cleared things up.
-
@Bhaalthazar said in Security of Legacy Notepad++ Versions (CVE-2025-49144):
patching older vulnerable versions
It could be fun, now without the public CA cert available…
