Community
    • Login

    Libcurl in update is version 8.15.0, which is flagged with CVE-2025-14819 / CVE-2025-14017, but the GUP uses version 8.19.0?

    Scheduled Pinned Locked Moved Security
    5 Posts 3 Posters 78 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Cheece777
      last edited by

      We reviewed a local Notepad++ 8.9.3 installation and found that updater\libcurl.dll is present, with Windows file metadata reporting version 8.15.0. This version is flagged by our vulnerability scanner in relation to CVE-2025-14819 / CVE-2025-14017 (libcurl versions before 8.18.0).

      However, our local static analysis of updater\GUP.exe (version 5.41) did not show a normal import or delay-load import of libcurl.dll. In addition, GUP.exe contains strings referencing libcurl 8.19.0 (for example CLIENT libcurl 8.19.0), which suggests that the updater may be using a statically linked or otherwise embedded libcurl, rather than the separate updater\libcurl.dll.

      Could you please confirm whether the bundled updater\libcurl.dll is actually used at runtime by Notepad++ / WinGUp? If it is not used, it may be worth removing or updating that DLL to avoid false positive vulnerability findings in security scans.

      This assessment is based on local static analysis only; we have not yet verified the runtime module loading behavior.

      Thanks.

      xomxX 1 Reply Last reply Reply Quote 0
      • xomxX
        xomx @Cheece777
        last edited by

        @Cheece777 said in Libcurl in update is version 8.15.0, which is flagged with CVE-2025-14819 / CVE-2025-14017, but the GUP uses version 8.19.0?:

        found that updater\libcurl.dll is present, with Windows file metadata reporting version 8.15.0.

        That is probably a remnant from a previous version.

        our local static analysis of updater\GUP.exe (version 5.41) did not show a normal import or delay-load import of libcurl.dll. In addition, GUP.exe contains strings referencing libcurl 8.19.0 (for example CLIENT libcurl 8.19.0), which suggests that the updater may be using a statically linked or otherwise embedded libcurl, rather than the separate updater\libcurl.dll.

        Yes, it’s now linked statically.

        More info:

        • static link change
        • libcurl 8.19.0 update
        C 1 Reply Last reply Reply Quote 2
        • C
          Cheece777 @xomx
          last edited by

          @xomx Thanks for the quick reply.

          Do you plan to remove the leftover updater\libcurl.dll in a future release? If so, we can document this as a false positive on our side.

          xomxX 1 Reply Last reply Reply Quote 0
          • xomxX
            xomx @Cheece777
            last edited by

            @Cheece777

            I pass the info to the N++ maintainer:
            https://github.com/notepad-plus-plus/notepad-plus-plus/commit/b34b5b13e82c2af0b47451642ea9680da0dffd24#commitcomment-182497025

            donhoD 1 Reply Last reply Reply Quote 2
            • donhoD
              donho @xomx
              last edited by

              @xomx
              Thank you for pinging!
              https://github.com/notepad-plus-plus/notepad-plus-plus/commit/2c1abe0784543e78dbba0f259b0948cf3a08b8cb

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              The Community of users of the Notepad++ text editor.
              Powered by NodeBB | Contributors