Notepad++ v8.9.3 Update Fixes cURL Vulnerability and Crash Bugs

Notepad++, the widely used open-source text and code editor for Windows, has released version 8.9.3, a significant update that patches a tracked cURL security vulnerability, resolves multiple crash regressions, and completes a major internal infrastructure overhaul of the application’s XML parsing engine.

cURL Vulnerability: CVE-2025-14819 Patched

The most critical fix in v8.9.3 is the update of cURL to v8.19.0 within Notepad++’s auto-updater component, WinGUp, to address CVE-2025-14819.

This vulnerability, classified under CWE-295 (Improper Certificate Validation), exists in libcurl versions 7.87.0 through 8.17.0 and carries a CVSS 3.1 base score of 5.3 (Medium).

The flaw occurs during TLS-related transfers when reused easy or multiple handles alter the CURLSSLOPT_NO_PARTIALCHAIN option between transfers.

Under this condition, libcurl can accidentally reuse a CA store cached in memory with the partial chain validation setting reversed, effectively allowing the library to accept a partial SSL/TLS certificate trust chain it would otherwise reject.

This opens a pathway for man-in-the-middle (MitM) attacks on the update mechanism. Notepad++’s WinGUp updater was previously bundling libcurl version 7.87.0, which fell squarely within the affected range.

The fix upgrades the component to cURL v8.19.0, fully closing the vulnerability window.

This patch is particularly sensitive given Notepad++’s recent security history. In late 2025, a China-nexus threat actor tracked as Lotus Panda compromised the application’s hosting infrastructure, hijacking the WinGUp update channel from June through December 2025 to deliver a previously unknown backdoor, Chrysalis, to selected targets.

That supply chain incident, tracked as CVE-2025-15556 (CVSS 7.7), underscored the critical importance of securing every layer of the update pipeline.

pugixml Migration: XML Parser Overhaul Complete

A foundational performance enhancement also ships in this release, the complete migration of Notepad++’s internal XML parser from TinyXML to pugixml, finalized after being gradually rolled out across several prior versions.

The new pugixml 1.15 engine is significantly lighter and faster, directly improving the speed at which Notepad++ reads and writes its configuration files.

Users with heavily customized environments or many installed plugins will notice faster startup times and more responsive settings management.

All regressions introduced during this migration process have also been resolved in this release.

The release also updates Scintilla to 5.6.0 and Lexilla to 5.4.7, improves theme-writing paths for non-standard installations, fixes bugs that could overwrite files during autocomplete after updates, and prevents XML configuration files from being overwritten when updating portable package installations.

Given the active threat landscape surrounding Notepad++, including the confirmed Lotus Panda supply chain attack, all users and security professionals are strongly advised to update to v8.9.3 immediately.

The update is available directly from the official Notepad++ downloads page. Full release notes, bug reports, and community discussion are available on the official Notepad++ Community Forum.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Notepad++ v8.9.3 Update Fixes cURL Vulnerability and Crash Bugs appeared first on Cyber Security News.