Community
    • Login

    Libcurl in update is version 8.15.0, which is flagged with CVE-2025-14819 / CVE-2025-14017, but the GUP uses version 8.19.0?

    Scheduled Pinned Locked Moved Security
    5 Posts 3 Posters 553 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      Cheece777
      last edited by

      We reviewed a local Notepad++ 8.9.3 installation and found that updater\libcurl.dll is present, with Windows file metadata reporting version 8.15.0. This version is flagged by our vulnerability scanner in relation to CVE-2025-14819 / CVE-2025-14017 (libcurl versions before 8.18.0).

      However, our local static analysis of updater\GUP.exe (version 5.41) did not show a normal import or delay-load import of libcurl.dll. In addition, GUP.exe contains strings referencing libcurl 8.19.0 (for example CLIENT libcurl 8.19.0), which suggests that the updater may be using a statically linked or otherwise embedded libcurl, rather than the separate updater\libcurl.dll.

      Could you please confirm whether the bundled updater\libcurl.dll is actually used at runtime by Notepad++ / WinGUp? If it is not used, it may be worth removing or updating that DLL to avoid false positive vulnerability findings in security scans.

      This assessment is based on local static analysis only; we have not yet verified the runtime module loading behavior.

      Thanks.

      xomxX 1 Reply Last reply Reply Quote 0
      • xomxX Offline
        xomx @Cheece777
        last edited by

        @Cheece777 said in Libcurl in update is version 8.15.0, which is flagged with CVE-2025-14819 / CVE-2025-14017, but the GUP uses version 8.19.0?:

        found that updater\libcurl.dll is present, with Windows file metadata reporting version 8.15.0.

        That is probably a remnant from a previous version.

        our local static analysis of updater\GUP.exe (version 5.41) did not show a normal import or delay-load import of libcurl.dll. In addition, GUP.exe contains strings referencing libcurl 8.19.0 (for example CLIENT libcurl 8.19.0), which suggests that the updater may be using a statically linked or otherwise embedded libcurl, rather than the separate updater\libcurl.dll.

        Yes, it’s now linked statically.

        More info:

        • static link change
        • libcurl 8.19.0 update
        C 1 Reply Last reply Reply Quote 2
        • C Offline
          Cheece777 @xomx
          last edited by

          @xomx Thanks for the quick reply.

          Do you plan to remove the leftover updater\libcurl.dll in a future release? If so, we can document this as a false positive on our side.

          xomxX 1 Reply Last reply Reply Quote 0
          • xomxX Offline
            xomx @Cheece777
            last edited by

            @Cheece777

            I pass the info to the N++ maintainer:
            https://github.com/notepad-plus-plus/notepad-plus-plus/commit/b34b5b13e82c2af0b47451642ea9680da0dffd24#commitcomment-182497025

            donhoD 1 Reply Last reply Reply Quote 2
            • donhoD Offline
              donho @xomx
              last edited by

              @xomx
              Thank you for pinging!
              https://github.com/notepad-plus-plus/notepad-plus-plus/commit/2c1abe0784543e78dbba0f259b0948cf3a08b8cb

              1 Reply Last reply Reply Quote 1

              Hello! It looks like you're interested in this conversation, but you don't have an account yet.

              Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

              With your input, this post could be even better 💗

              Register Login
              • First post
                Last post
              The Community of users of the Notepad++ text editor.
              Powered by NodeBB | Contributors