Notepad++ DLL Hijacking (CVE-2025-56383): CVSS 8.4 or CVSS 0.0?

A vulnerability on a popular source-code editor has been recently released along with a proof-of-concept (POC) exploit, but the security community isn’t so sure that it’s a legitimate flaw.

In this article, we look at CVE-2025-56383, discuss what developers are saying in the wild, and provide our experts’ take on the issue.

An Overview of CVE-2025-56383

On September 26, 2025, GitHub user zer0t0 released a PoC that claimed to exploit a DLL hijacking vulnerability on the widely used text editor Notepad++. This issue was assigned CVE-2025-56383. However, just five days after the release of the vulnerability, its description on the CVE site was amended. A note now states that CVE-2025-56383 “was being disputed by multiple parties because the behavior only occurs when a user installs the product into a directory tree that allows write access by arbitrary unprivileged users.”

Currently, online security-focused outlets such as Cyber Security News, GBHackers, eSecurityPlanet, Red Hot Cyber, and Una Al Dia have reported on the vulnerability. Vulnerability assessment tools such as Tenable are also releasing checks for this vulnerability.

However, let’s look at why this CVE is being disputed.

What Developers Are Saying

In the same GitHub repository where the POC was released, developers have raised concerns about CVE-2025-56383. Alexander Gavrilov (dartraiden), stated that for the attack to materialize, a threat actor must first have elevated privileges, as Notepad++ installs itself and loads plugins from Program Files.

Figure 1. An issue was opened on the GitHub repository containing the POC for CVE-2025-56383

Meanwhile, on Notepad++’s community board, some developers and programmers also shared the sentiment that CVE-2025-56383 is not a real vulnerability. In fact, the development team is not planning on addressing the issue at all. Don Ho (donho), echoed Gavrilov’s thoughts, stating that by default, Notepad++ and its plugins are installed in Program Files. To compromise the app, threat actors must have elevated privileges, which could also mean that they could just replace any application or executable binary on the system.

Figure 2. User donho shares his thoughts on the legitimacy of CVE-2025-56383

In his post, Ho linked to a 2016 article titled “Dubious Security Vulnerability: Attacking the Application Directory in Order to Fool Yourself?” penned by Microsoft programmer Raymond Chen. Chen shares that the application directory is a trusted location. When unauthorized users gain access to the application directory, they can gain control over the app.

Here at LevelBlue SpiderLabs, we agree with the dispute. If a threat actor already has access to a privileged directory, then they can place any malware on the system already. If the threat actor can social engineer a user into installing a DLL in a privileged directory, then they can convince a user to install any malware. Finally, if the application is installed in a non-default location or unprivileged folder, the same scenario exists. If the threat actor has the ability to replace an applications DLL, they would have to ability to put malware directly in the same location.