[Bug]: Outdated OpenSSL Version on nextcloud desktop (windows) #9273
Description
⚠️ Before submitting, please verify the following: ⚠️
- This is a bug, not a question or a configuration issue.
- This issue is not already reported on Github (I've searched it).
- Nextcloud Server and Desktop Client are up to date. See Server Maintenance and Release Schedule and Desktop Releases for supported versions.
- I agree to follow Nextcloud's Code of Conduct
Bug description
The nextcloud desktop client for windows in Version 4.0.4 is shipped with OpenSSL version 3.4.1 which is vulnerable to CVE-2025-9230/9231/9232. We already discussed the issue in https://help.nextcloud.com/t/outdated-openssl-version-on-nextcloud-desktop-windows/237663 and even if the CVEs are probably not exploitable within nextcloud desktop an update of OpenSSL to version 3.4.3+ would be highly appreciated.
Steps to reproduce
Scan the dll with a vulnerability scanner details see https://help.nextcloud.com/t/outdated-openssl-version-on-nextcloud-desktop-windows/237663
Expected behavior
Up-to-date OpenSSL without the known CVE (e.g. OpenSSL 3.4.3)
Which files are affected by this bug
c:\program files\nextcloud\libcrypto-3-x64.dll; c:\program files\nextcloud\libssl-3-x64.dll
Operating system
Windows
Which version of the operating system you are running.
Windows 11
Package
Official Windows MSI
Nextcloud Server version
n.a.
Nextcloud Desktop Client version
4.0.4
Is this bug present after an update or on a fresh install?
Fresh desktop client install
Are you using the Nextcloud Server Encryption module?
Encryption is Enabled
Are you using an external user-backend?
- Default internal user-backend
- LDAP/ Active Directory
- SSO - SAML
- Other
Nextcloud Server logs
Additional info
No response