Songgao

**Name of the Vulnerable Software and Affected Versions** Lego versions 4.25.1 and below **Description** The `github.com/go-acme/lego/v4/acme/api` package, and consequently the Lego library and command-line interface, does not enforce HTTPS when communicating with Certificate Authorities (CAs) as an ACME client. The ACME protocol requires HTTPS for client-CA communication, but the library fails to enforce this requirement for both the initial discovery URL and subsequent addresses provided by CAs. This can lead to privacy compromises, as request and response details, including account and request identifiers, may be exposed to network attackers if HTTP URLs are used or if CAs misconfigure their endpoints. **Recommendations** Lego versions prior to 4.25.2 are affected. Update to version 4.25.2 or later to resolve this issue.