PT-2025-32239 · Go Acme+1 · Lego+1
Chrisnojima
+1
·
Published
2025-08-06
·
Updated
2025-08-19
·
CVE-2025-54799
CVSS v4.0
2.3
Low
| Vector | AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Lego versions 4.25.1 and below
Description
The
github.com/go-acme/lego/v4/acme/api package, and consequently the Lego library and command-line interface, does not enforce HTTPS when communicating with Certificate Authorities (CAs) as an ACME client. The ACME protocol requires HTTPS for client-CA communication, but the library fails to enforce this requirement for both the initial discovery URL and subsequent addresses provided by CAs. This can lead to privacy compromises, as request and response details, including account and request identifiers, may be exposed to network attackers if HTTP URLs are used or if CAs misconfigure their endpoints.Recommendations
Lego versions prior to 4.25.2 are affected.
Update to version 4.25.2 or later to resolve this issue.
Exploit
Fix
Cleartext Transmission of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Lego