GHSA-q82r-2j7m-9rv4 · Severity: low · Ecosystem: go — github.com/go-acme/lego/v4/acme/api does not enforce HTTPS
Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details like account and request identifiers to network attackers. This was fixed in version 4.25.2.
Conclusion & alert: CVE-2025-54799 is rated Low Risk (23.1/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.18%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-03 | 0.05% | 0.18% | +0.13% |
| 2 | 2026-05-24 | 0.03% | 0.05% | +0.02% |
| 3 | 2025-08-07 | — | 0.03% | — |
Full EPSS history (3 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 2.3 | 4.0 | LOW |
|
— | — | [email protected] |
GHSA-q82r-2j7m-9rv4 · Severity: low · Ecosystem: go — github.com/go-acme/lego/v4/acme/api does not enforce HTTPS
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
low | CVE-2025-54799: 1 source package rows (lego); 20 state rows across 2 repos (3.22-community, edge-community); fixed 0, open 20. | https://security.alpinelinux.org/vuln/CVE-2025-54799 |
debian
|
not yet assigned | CVE-2025-54799 not yet assigned priority: Debian including 1 source packages (golang-github-xenolf-lego), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 3, resolved 2. | https://security-tracker.debian.org/tracker/CVE-2025-54799 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2025-54799 |
ubuntu
|
medium | CVE-2025-54799 medium priority: Ubuntu including 1 source packages (golang-github-xenolf-lego), 7 status rows across 7 suites (bionic, focal, jammy, noble, plucky, questing, upstream): needs-triage 6, ignored 1. | https://ubuntu.com/security/CVE-2025-54799 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||