CVE-2025-54799
published 2025-08-07CVE-2025-54799: Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego…
PriorityP413low2.3CVSS 4.0
AVNACHATPPRNUIPVCHVINVANSCNSINSANEUCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.20%
9.9th percentile
Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details like account and request identifiers to network attackers. This was fixed in version 4.25.2.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-xenolf-lego | — | — |
| github.com | go-acme_lego | 0 – 4.25.1 | — |
| github.com | go-acme_lego_v3 | 0 – 4.25.1 | — |
| github.com | go-acme_lego_v4 | >= 0 < 4.25.2 | 4.25.2 |
| go-acme | lego | < 4.25.2 | 4.25.2 |
CVSS provenance
nvdv4.02.3LOWCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv2.3LOW
vendor_debian2.3LOW
vendor_redhat2.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
github.com/go-acme/lego: Lego: Unenforced HTTPS Communication Vulnerability
vendor_redhat·2025-08-07·CVSS 2.3
CVE-2025-54799 [LOW] CWE-319 github.com/go-acme/lego: Lego: Unenforced HTTPS Communication Vulnerability
github.com/go-acme/lego: Lego: Unenforced HTTPS Communication Vulnerability
Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP ins
Debian
CVE-2025-54799: golang-github-xenolf-lego - Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 a...
vendor_debian·2025·CVSS 2.3
CVE-2025-54799 [LOW] CVE-2025-54799: golang-github-xenolf-lego - Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 a...
Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details
OSV
Github.com/go-acme/lego/v4/acme/api does not enforce HTTPS in github.com/go-acme/lego
osv·2025-08-11
CVE-2025-54799 Github.com/go-acme/lego/v4/acme/api does not enforce HTTPS in github.com/go-acme/lego
Github.com/go-acme/lego/v4/acme/api does not enforce HTTPS in github.com/go-acme/lego
Github.com/go-acme/lego/v4/acme/api does not enforce HTTPS in github.com/go-acme/lego
OSV
CVE-2025-54799: Let's Encrypt client and ACME library written in Go (Lego)
osv·2025-08-07·CVSS 2.3
CVE-2025-54799 [LOW] CVE-2025-54799: Let's Encrypt client and ACME library written in Go (Lego)
Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details
OSV
github.com/go-acme/lego/v4/acme/api does not enforce HTTPS
osv·2025-08-06
CVE-2025-54799 [LOW] github.com/go-acme/lego/v4/acme/api does not enforce HTTPS
github.com/go-acme/lego/v4/acme/api does not enforce HTTPS
## Summary
It was discovered that the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client.
## Details
Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. This is stated in 6.1 of RFC 8555: [https://datatracker.ietf.org/doc/html/rfc8555#section-6.1](https://datatracker.ietf.org/doc/html/rfc8555#section-6.1)
> Each ACME function is accomplished by the client sending a sequence
> of HTTPS requests to the server [[RFC2818](https://datatracker.ietf.org/doc/html/rfc2818)], carrying JSON messages
> [[RFC8259
GHSA
github.com/go-acme/lego/v4/acme/api does not enforce HTTPS
ghsa·2025-08-06
CVE-2025-54799 [LOW] CWE-319 github.com/go-acme/lego/v4/acme/api does not enforce HTTPS
github.com/go-acme/lego/v4/acme/api does not enforce HTTPS
## Summary
It was discovered that the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client.
## Details
Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. This is stated in 6.1 of RFC 8555: [https://datatracker.ietf.org/doc/html/rfc8555#section-6.1](https://datatracker.ietf.org/doc/html/rfc8555#section-6.1)
> Each ACME function is accomplished by the client sending a sequence
> of HTTPS requests to the server [[RFC2818](https://datatracker.ietf.org/doc/html/rfc2818)], carrying JSON messages
> [[RFC8259
No detection rules found.
No public exploits indexed.
2025-08-07
Published