Libcurl in update is version 8.15.0, which is flagged with CVE-2025-14819 / CVE-2025-14017, but the GUP uses version 8.19.0?
-
We reviewed a local Notepad++ 8.9.3 installation and found that updater\libcurl.dll is present, with Windows file metadata reporting version 8.15.0. This version is flagged by our vulnerability scanner in relation to CVE-2025-14819 / CVE-2025-14017 (libcurl versions before 8.18.0).
However, our local static analysis of updater\GUP.exe (version 5.41) did not show a normal import or delay-load import of libcurl.dll. In addition, GUP.exe contains strings referencing libcurl 8.19.0 (for example CLIENT libcurl 8.19.0), which suggests that the updater may be using a statically linked or otherwise embedded libcurl, rather than the separate updater\libcurl.dll.
Could you please confirm whether the bundled updater\libcurl.dll is actually used at runtime by Notepad++ / WinGUp? If it is not used, it may be worth removing or updating that DLL to avoid false positive vulnerability findings in security scans.
This assessment is based on local static analysis only; we have not yet verified the runtime module loading behavior.
Thanks.
-
@Cheece777 said in Libcurl in update is version 8.15.0, which is flagged with CVE-2025-14819 / CVE-2025-14017, but the GUP uses version 8.19.0?:
found that updater\libcurl.dll is present, with Windows file metadata reporting version 8.15.0.
That is probably a remnant from a previous version.
our local static analysis of updater\GUP.exe (version 5.41) did not show a normal import or delay-load import of libcurl.dll. In addition, GUP.exe contains strings referencing libcurl 8.19.0 (for example CLIENT libcurl 8.19.0), which suggests that the updater may be using a statically linked or otherwise embedded libcurl, rather than the separate updater\libcurl.dll.
Yes, it’s now linked statically.
More info:
