Hello - if your install says you may have a vulnerable curl install and furthermore, says:
try running curl -v https:/xxxxxxxx.com/matomo/matomo.js on your server and see if it is able to fetch the file successfully
That’s not very useful: because what is the verdict if it is or isn’t able to retrieve the file successfully? It would be more useful to indicate that it is or isn’t vulnerable based on what it retrieves rather than just asking the admin to see if it fetches the file successfully.
The vulnerable curl version check just compares your curl version with https://curl.se/docs/security.html. Keep in mind that there are many vulnerabilities that don’t affect curl when used in Matomo and the last ones were only reported last week, so it might take a while for the fixes to land on every system.
That message is completly independent of the curl vulnerability check. Instead it tries to access matomo.js to check if it is is served by your webserver with the correct mime type and gzipped.
Matomo reports “Your curl version (7.81.0) might be vulnerable…” but when I run curl -V version it comes back as curl 7.29.0 so I’m trying to get the proper way to display the curl version for your reported error message. . .