Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    4 vulnerabilities by go-acme

    CVE-2026-40611 (GCVE-0-2026-40611)

    Vulnerability from nvd – Published: 2026-04-21 17:58 – Updated: 2026-06-30 12:08
    VLAI
    Title
    Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider
    Summary
    Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process. This vulnerability is fixed in 4.34.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    go-acme lego Affected: < 4.34.0
    Create a notification for this product.
    Red Hat Red Hat OpenShift Dev Spaces 3.28     cpe:/a:redhat:openshift_devspaces:3.28::el9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40611",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-21T19:17:50.782641Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-21T19:17:54.210Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_devspaces:3.28::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Dev Spaces 3.28",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-21T17:58:35.221Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in lego, the Let\u0027s Encrypt client and ACME library written in Go. A malicious ACME (Automated Certificate Management Environment) server can exploit a path traversal vulnerability in the webroot HTTP-01 challenge provider. By supplying a specially crafted challenge token containing directory traversal sequences, the server can cause lego to write or delete files in arbitrary locations on the system where lego is running, potentially leading to system compromise."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-22",
                    "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:08:55.162Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-40611"
              },
              {
                "name": "RHBZ#2460233",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460233"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40611.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:21772"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:21772: Red Hat OpenShift Dev Spaces 3.28"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-21T20:01:57.383Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-21T17:58:35.221Z",
                "value": "Made public."
              }
            ],
            "title": "github.com/go-acme/lego: Lego: Arbitrary file write and deletion via path traversal from a malicious ACME server",
            "workarounds": [
              {
                "lang": "en",
                "value": "To mitigate this issue, ensure that the `lego` client only interacts with trusted ACME servers. Additionally, run the `lego` process with the least necessary privileges and in a restricted environment to limit the potential impact of arbitrary file operations. This may involve containerization or specific filesystem access controls."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "lego",
              "vendor": "go-acme",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.34.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Let\u0027s Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process. This vulnerability is fixed in 4.34.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T17:58:35.221Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8"
            }
          ],
          "source": {
            "advisory": "GHSA-qqx8-2xmm-jrv8",
            "discovery": "UNKNOWN"
          },
          "title": "Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40611",
        "datePublished": "2026-04-21T17:58:35.221Z",
        "dateReserved": "2026-04-14T14:07:59.642Z",
        "dateUpdated": "2026-06-30T12:08:55.162Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-54799 (GCVE-0-2025-54799)

    Vulnerability from nvd – Published: 2025-08-07 00:04 – Updated: 2025-08-07 14:07
    VLAI
    Title
    Lego does not enforce HTTPS
    Summary
    Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details like account and request identifiers to network attackers. This was fixed in version 4.25.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    go-acme lego Affected: < 4.25.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54799",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-07T14:07:23.435795Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-07T14:07:32.104Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "lego",
              "vendor": "go-acme",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.25.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Let\u0027s Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don\u0027t enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details like account and request identifiers to network attackers. This was fixed in version 4.25.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319: Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-07T00:04:14.718Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/go-acme/lego/security/advisories/GHSA-q82r-2j7m-9rv4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/go-acme/lego/security/advisories/GHSA-q82r-2j7m-9rv4"
            },
            {
              "name": "https://github.com/go-acme/lego/commit/238454b5f74f3cfcbb244ff0d0dc914a4ad44b96",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/go-acme/lego/commit/238454b5f74f3cfcbb244ff0d0dc914a4ad44b96"
            }
          ],
          "source": {
            "advisory": "GHSA-q82r-2j7m-9rv4",
            "discovery": "UNKNOWN"
          },
          "title": "Lego does not enforce HTTPS"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-54799",
        "datePublished": "2025-08-07T00:04:14.718Z",
        "dateReserved": "2025-07-29T16:50:28.395Z",
        "dateUpdated": "2025-08-07T14:07:32.104Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-40611 (GCVE-0-2026-40611)

    Vulnerability from cvelistv5 – Published: 2026-04-21 17:58 – Updated: 2026-06-30 12:08
    VLAI
    Title
    Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider
    Summary
    Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process. This vulnerability is fixed in 4.34.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    go-acme lego Affected: < 4.34.0
    Create a notification for this product.
    Red Hat Red Hat OpenShift Dev Spaces 3.28     cpe:/a:redhat:openshift_devspaces:3.28::el9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40611",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-21T19:17:50.782641Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-21T19:17:54.210Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_devspaces:3.28::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Dev Spaces 3.28",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-21T17:58:35.221Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in lego, the Let\u0027s Encrypt client and ACME library written in Go. A malicious ACME (Automated Certificate Management Environment) server can exploit a path traversal vulnerability in the webroot HTTP-01 challenge provider. By supplying a specially crafted challenge token containing directory traversal sequences, the server can cause lego to write or delete files in arbitrary locations on the system where lego is running, potentially leading to system compromise."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-22",
                    "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:08:55.162Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-40611"
              },
              {
                "name": "RHBZ#2460233",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460233"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40611.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:21772"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:21772: Red Hat OpenShift Dev Spaces 3.28"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-21T20:01:57.383Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-21T17:58:35.221Z",
                "value": "Made public."
              }
            ],
            "title": "github.com/go-acme/lego: Lego: Arbitrary file write and deletion via path traversal from a malicious ACME server",
            "workarounds": [
              {
                "lang": "en",
                "value": "To mitigate this issue, ensure that the `lego` client only interacts with trusted ACME servers. Additionally, run the `lego` process with the least necessary privileges and in a restricted environment to limit the potential impact of arbitrary file operations. This may involve containerization or specific filesystem access controls."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "lego",
              "vendor": "go-acme",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.34.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Let\u0027s Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process. This vulnerability is fixed in 4.34.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T17:58:35.221Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8"
            }
          ],
          "source": {
            "advisory": "GHSA-qqx8-2xmm-jrv8",
            "discovery": "UNKNOWN"
          },
          "title": "Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40611",
        "datePublished": "2026-04-21T17:58:35.221Z",
        "dateReserved": "2026-04-14T14:07:59.642Z",
        "dateUpdated": "2026-06-30T12:08:55.162Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-54799 (GCVE-0-2025-54799)

    Vulnerability from cvelistv5 – Published: 2025-08-07 00:04 – Updated: 2025-08-07 14:07
    VLAI
    Title
    Lego does not enforce HTTPS
    Summary
    Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details like account and request identifiers to network attackers. This was fixed in version 4.25.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    go-acme lego Affected: < 4.25.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54799",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-07T14:07:23.435795Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-07T14:07:32.104Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "lego",
              "vendor": "go-acme",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.25.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Let\u0027s Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don\u0027t enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details like account and request identifiers to network attackers. This was fixed in version 4.25.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319: Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-07T00:04:14.718Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/go-acme/lego/security/advisories/GHSA-q82r-2j7m-9rv4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/go-acme/lego/security/advisories/GHSA-q82r-2j7m-9rv4"
            },
            {
              "name": "https://github.com/go-acme/lego/commit/238454b5f74f3cfcbb244ff0d0dc914a4ad44b96",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/go-acme/lego/commit/238454b5f74f3cfcbb244ff0d0dc914a4ad44b96"
            }
          ],
          "source": {
            "advisory": "GHSA-q82r-2j7m-9rv4",
            "discovery": "UNKNOWN"
          },
          "title": "Lego does not enforce HTTPS"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-54799",
        "datePublished": "2025-08-07T00:04:14.718Z",
        "dateReserved": "2025-07-29T16:50:28.395Z",
        "dateUpdated": "2025-08-07T14:07:32.104Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }