CVE-2025-54799

Name
CVE-2025-54799
Description
Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details like account and request identifiers to network attackers. This was fixed in version 4.25.2.
NVD Severity
low
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/go-acme/lego/commit/238454b5f74f3cfcbb244ff0d0dc914a4ad44b96
CONFIRM https://github.com/go-acme/lego/security/advisories/GHSA-q82r-2j7m-9rv4

Match rules

CPE URI Source package Min version Max version
lego >= 0 < 4.25.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
lego edge-community 4.24.0-r4 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego edge-community 4.24.0-r3 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego edge-community 4.24.0-r2 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego edge-community 4.24.0-r1 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego edge-community 4.24.0-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego edge-community 4.23.1-r1 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego edge-community 4.23.1-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego edge-community 4.22.2-r3 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego edge-community 4.22.2-r2 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego edge-community 4.22.2-r1 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego edge-community 4.22.2-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego edge-community 4.21.0-r2 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego edge-community 4.21.0-r1 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego edge-community 4.21.0-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego edge-community 4.20.4-r0 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego 3.22-community 4.23.1-r5 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego 3.22-community 4.23.1-r4 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego 3.22-community 4.23.1-r3 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego 3.22-community 4.23.1-r2 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable
lego 3.22-community 4.20.4-r5 Carlo Landmeter <clandmeter@alpinelinux.org> possibly vulnerable