Summary
It was discovered that the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client.
Details
Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. This is stated in 6.1 of RFC 8555: https://datatracker.ietf.org/doc/html/rfc8555#section-6.1
Each ACME function is accomplished by the client sending a sequence
of HTTPS requests to the server [RFC2818], carrying JSON messages
[RFC8259]. Use of HTTPS is REQUIRED. Each subsection of Section 7
below describes the message formats used by the function and the
order in which messages are sent.
However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects.
If the library user accidentally inputs an HTTP URL, or the CA similarly misconfigures its endpoints, this will cause the relevant parts of the protocol to be performed over HTTP. This can result, at the very least, in a lost of privacy of the request/response details, such as account and request identifiers (which could be intercepted by an attacker in a privileged network position). We did not investigate whether other more serious threats could result from the ability to impersonate a CA for some of the protocol requests, but enforcing HTTPS usage is definitely the safe choice.
Reproducing
This is illustrated in the attached http_acme_test.go. Since it uses private field Core.directory, this test must be placed inside the source directory of https://github.com/go-acme/lego/v4/acme/api to run.
Please note that this only checks getting the directory and creating a new account, but other ACME functions are likely impacted as well, such as creating orders, getting and checking order authorizations.
package api
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"fmt"
"net/http"
"strings"
"testing"
"time"
"github.com/go-acme/lego/v4/acme"
)
const letsEncryptURLHTTP = "http://acme-v02.api.letsencrypt.org/directory"
const letsEncryptURLHTTPS = "https://acme-v02.api.letsencrypt.org/directory"
func changeToHTTP(url *string) {
if strings.HasPrefix(*url, "https:") {
*url = "http" + (*url)[len("https"):]
}
}
func changeToHTTPS(url *string) {
if strings.HasPrefix(*url, "http:") {
*url = "https" + (*url)[len("http"):]
}
}
func TestHTTPURLs(t *testing.T) {
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatalf("error generating a private key: %v", err)
}
func() {
t.Log("testing that Discover enforces https")
_, err := New(&http.Client{
Transport: &httpsOnlyRoundTripper{inner: http.DefaultTransport},
Timeout: 20 * time.Second,
}, "", letsEncryptURLHTTP, "", privateKey)
if err != nil {
t.Errorf("New error: %v", err)
}
}()
core, err := New(&http.Client{
Transport: &httpsOnlyRoundTripper{inner: http.DefaultTransport},
Timeout: 20 * time.Second,
}, "", letsEncryptURLHTTPS, "", privateKey)
if err != nil {
t.Fatalf("New error: %v", err)
}
func() {
t.Log("testing that account creation enforces https")
// Simulate a misconfigured CA that gives out HTTP directory URLs and when
// we're done change it back to HTTPS to test the rest.
changeToHTTP(&core.directory.NewAccountURL)
defer changeToHTTPS(&core.directory.NewAccountURL)
_, err := core.Accounts.New(acme.Account{
TermsOfServiceAgreed: true,
Contact: []string{},
})
if err != nil {
t.Errorf("core.Accounts.New error: %v", err)
}
}()
_, err = core.Accounts.New(acme.Account{
TermsOfServiceAgreed: true,
Contact: []string{},
})
if err != nil {
t.Fatalf("core.Accounts.New error: %v", err)
}
}
type httpsOnlyRoundTripper struct {
inner http.RoundTripper
}
func (r *httpsOnlyRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
if req.URL.Scheme != "https" {
return nil, fmt.Errorf("non-https request is being sent")
}
return r.inner.RoundTrip(req)
}
_
Impact
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2025-54799? CVE-2025-54799 is a low-severity security vulnerability in github.com/go-acme/lego (go), affecting versions <= 4.25.1. It is fixed in 4.25.2.
- Which packages are affected by CVE-2025-54799?
github.com/go-acme/lego(go) (versions <= 4.25.1)github.com/go-acme/lego/v3(go) (versions <= 4.25.1)github.com/go-acme/lego/v4(go) (versions <= 4.25.1)
- Is there a fix for CVE-2025-54799? Yes. CVE-2025-54799 is fixed in 4.25.2. Upgrade to this version or later.
- Is CVE-2025-54799 exploitable, and should I be worried? Whether CVE-2025-54799 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-54799 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-54799? Upgrade
github.com/go-acme/lego/v4to 4.25.2 or later.