<![CDATA[Libcurl in update is version 8.15.0, which is flagged with CVE-2025-14819 / CVE-2025-14017, but the GUP uses version 8.19.0?]]>We reviewed a local Notepad++ 8.9.3 installation and found that updater\libcurl.dll is present, with Windows file metadata reporting version 8.15.0. This version is flagged by our vulnerability scanner in relation to CVE-2025-14819 / CVE-2025-14017 (libcurl versions before 8.18.0).

However, our local static analysis of updater\GUP.exe (version 5.41) did not show a normal import or delay-load import of libcurl.dll. In addition, GUP.exe contains strings referencing libcurl 8.19.0 (for example CLIENT libcurl 8.19.0), which suggests that the updater may be using a statically linked or otherwise embedded libcurl, rather than the separate updater\libcurl.dll.

Could you please confirm whether the bundled updater\libcurl.dll is actually used at runtime by Notepad++ / WinGUp? If it is not used, it may be worth removing or updating that DLL to avoid false positive vulnerability findings in security scans.

This assessment is based on local static analysis only; we have not yet verified the runtime module loading behavior.

Thanks.

]]>https://community.notepad-plus-plus.org/topic/27493/libcurl-in-update-is-version-8-15-0-which-is-flagged-with-cve-2025-14819-cve-2025-14017-but-the-gup-uses-version-8-19-0RSS for NodeThu, 16 Apr 2026 12:57:00 GMTWed, 15 Apr 2026 09:23:22 GMT60<![CDATA[Reply to Libcurl in update is version 8.15.0, which is flagged with CVE-2025-14819 / CVE-2025-14017, but the GUP uses version 8.19.0? on Wed, 15 Apr 2026 19:19:35 GMT]]>@xomx
Thank you for pinging!
https://github.com/notepad-plus-plus/notepad-plus-plus/commit/2c1abe0784543e78dbba0f259b0948cf3a08b8cb

]]>https://community.notepad-plus-plus.org/post/105250https://community.notepad-plus-plus.org/post/105250Wed, 15 Apr 2026 19:19:35 GMT<![CDATA[Reply to Libcurl in update is version 8.15.0, which is flagged with CVE-2025-14819 / CVE-2025-14017, but the GUP uses version 8.19.0? on Wed, 15 Apr 2026 16:53:46 GMT]]>@Cheece777

I pass the info to the N++ maintainer:
https://github.com/notepad-plus-plus/notepad-plus-plus/commit/b34b5b13e82c2af0b47451642ea9680da0dffd24#commitcomment-182497025

]]>https://community.notepad-plus-plus.org/post/105249https://community.notepad-plus-plus.org/post/105249Wed, 15 Apr 2026 16:53:46 GMT<![CDATA[Reply to Libcurl in update is version 8.15.0, which is flagged with CVE-2025-14819 / CVE-2025-14017, but the GUP uses version 8.19.0? on Wed, 15 Apr 2026 12:32:51 GMT]]>@xomx Thanks for the quick reply.

Do you plan to remove the leftover updater\libcurl.dll in a future release? If so, we can document this as a false positive on our side.

]]>https://community.notepad-plus-plus.org/post/105248https://community.notepad-plus-plus.org/post/105248Wed, 15 Apr 2026 12:32:51 GMT<![CDATA[Reply to Libcurl in update is version 8.15.0, which is flagged with CVE-2025-14819 / CVE-2025-14017, but the GUP uses version 8.19.0? on Wed, 15 Apr 2026 12:17:39 GMT]]>@Cheece777 said in Libcurl in update is version 8.15.0, which is flagged with CVE-2025-14819 / CVE-2025-14017, but the GUP uses version 8.19.0?:

found that updater\libcurl.dll is present, with Windows file metadata reporting version 8.15.0.

That is probably a remnant from a previous version.

our local static analysis of updater\GUP.exe (version 5.41) did not show a normal import or delay-load import of libcurl.dll. In addition, GUP.exe contains strings referencing libcurl 8.19.0 (for example CLIENT libcurl 8.19.0), which suggests that the updater may be using a statically linked or otherwise embedded libcurl, rather than the separate updater\libcurl.dll.

Yes, it’s now linked statically.

More info:

]]>https://community.notepad-plus-plus.org/post/105246https://community.notepad-plus-plus.org/post/105246Wed, 15 Apr 2026 12:17:39 GMT