Vulnerability in Go-acme Lego

CVE-2025-54799

Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME c…

EPSS: 0.002 (39.4th percentile) — read the EPSS interpretation.

Affected products

Go-acme Lego — versions < 4.25.2

Weakness classification (CWE)

CWE-319 — Cleartext Transmission of Sensitive Information

References

https://github.com/go-acme/lego/security/advisories/GHSA-q82r-2j7m-9rv4 (x_refsource_CONFIRM)
https://github.com/go-acme/lego/commit/238454b5f74f3cfcbb244ff0d0dc914a4ad44b96 (x_refsource_MISC)