When looking into the source package, 5.0.0-beta145 has gnupg-w32-2.5.5_20250307-bin.exe which has the fix. (Also thanks to @eebb for confirmation.)
One more thing about the term vulnerability:
While by common definitions, this defect is a software vulnerability, the low CVSSv3 score (2.7 by Redhat) shows that it is not something which needs a quick fix. Even a CVE number is not really helpful. The reasons are:
- if defects like this get CVE numbers, then many regular improvements in software development would need to get one. Which is too many to be useful. The significant vulnerabilities that must be fixed quickly would be drowned within regular fixes.
- the term vulnerability sometimes triggers the need for a patch or a fast fix out of the regular schedule. Those fixes come with their own risks because of the accelerated development. As we have a low severity thing here, a quick fix is potentially less secure than a regular maintenance release.
In that sense we do not have a vulnerability - as we do not need a quick fix and it is more like a regular defect for which there are many.