Check Windows for outdated libcurl libraries in programs

Posted on 2025-07-31 by guenni

Sicherheit (Pexels, allgemeine Nutzung)[German]I mentioned this before in my blog: Microsoft often ships the cURL library with outdated versions that have security vulnerabilities. Software packages also come with ancient libcurl files. How can I check whether there are any legacy issues lurking on my systems?

What are cURL and libcurl?

cURL (which stands for Client for URLs or Curl URL Request Library) is both a program library and a command line program for transferring files in computer networks. cURL is licensed under the open MIT license and has been ported to various operating systems.

The core (engine) of the command line tool curl is libcurl. libcurl is included as a library in thousands of tools, services, and applications that transfer data over the Internet.

Do I have old libcurl versions in my system?

Robert G. contacted me by email at the beginning of July 2025 with the subject line "Salesforce and libcurl" and the words "if it's not working again…" The background to the email was that a colleague had approached Robert and asked for advice. Nessus' vulnerability analysis had triggered an alarm on one of this colleague's systems. The problem was apparently an old Salesforce ODBC driver that used ancient libcurl files in the following path:

C:\Program Files (x86)\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib

When he checked, he found an outdated version of the libcurl.dll file in the folder. Robert remembered that there had already been complaints on the blog that Microsoft had rolled out an ancient version of this library with its security updates. The question arose as to how to check whether there were any other outdated versions of the library on the system. The following PowerShell command:

(Get-ChildItem -Path "C:\Program Files", "C:\Program Files (x86)" -Filter libcurl.dll -Recurse -ErrorAction SilentlyContinue) |  ForEach-Object { Get-Command ($_.fullname)} | Select-Object source,version

searches the Windows program folders for the file libcurl and lists the hits found, including the file version. Under Windows 11 24H2, Robert then found the following files.

C:\Program Files\Adobe\Adobe Lightroom Classic\libcurl.dll                              8.11.1.0

C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\libcurl.dll 8.7.0.0

C:\Program Files\Notepad++\updater\libcurl.dll                                          8.13.0.0

C:\Program Files (x86)\Synology\ActiveBackupforBusinessAgent\ui\ui\libcurl.dll          7.87.0.0

C:\Program Files (x86)\VMware\VMware Remote Console\libcurl.dll                         8.3.0.0

On Windows Server 2019, however, the following filtes were listed for Robert in a search.

C:\Program Files\Fujitsu\ServerView Suite\Agents\PrimeCollect\Tools\libcurl.dll 7.72.0.0

C:\Program Files\Fujitsu\ServerView Suite\RAID Manager\bin\libcurl.dll          7.74.0.0

C:\Program Files\Notepad++\updater\libcurl.dll                                  8.13.0.0

C:\Program Files\PostgreSQL\15\bin\libcurl.dll                                  8.11.0.0

C:\Program Files\Veeam\Backup and Replication\Backup\VSS\libcurl.dll            0.0.0.0

C:\Program Files (x86)\Synology\ActiveBackupforBusinessAgent\ui\ui\libcurl.dll  7.87.0.0

C:\Program Files (x86)\Veeam\Backup Transport\GuestInteraction\VSS\libcurl.dll  0.0.0.0

C:\Program Files (x86)\Veeam\Backup Transport\x64\vddk_6_0\libcurl.dll          0.0.0.0

C:\Program Files (x86)\Veeam\Backup Transport\x64\vddk_6_7\libcurl.dll          7.64.1.0

C:\Program Files (x86)\Veeam\Backup Transport\x64\vddk_7_0\libcurl.dll          8.4.0.0

C:\Program Files (x86)\Veeam\Backup Transport\x64\vix\libcurl.dll               0.0.0.0

C:\Program Files (x86)\Veeam\Backup Transport\x86\vix\libcurl.dll               0.0.0.0

The files listed without a version (0.0.0.0) were signed in February 2013, so they are very old. The only program that comes with a current version is Notepad++, Robert wrote to me. This may be helpful for some administrators (thanks to Robert for the tip).

Similar articles:
Windows 10/11: Microsoft still ships old version of cURL lib with vulnerabilities (Feb. 2023)
Windows and the cURL trap; deleted curl instance breaks Windows update
curl vulnerability still unpatched by Microsoft
Windows: cURL 8.4.0 update coming on November 14, 2023 patch day

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

One Response to Check Windows for outdated libcurl libraries in programs

  1. OldNavyGuy says:
    2025-08-03 at 5:19

    So what actions are users supposed to take?

    I have 3 different versions of libcurl from 3 different vendors that are outdated.

    None of those three have any product updates available.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).