CVE-2025-54799
BaseFortify
Publication date: 2025-08-07
Last updated on: 2025-08-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| go-acme | lego | 4.25.1 |
| go-acme | lego | 4.25.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-319 | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Let's Encrypt client and ACME library written in Go (Lego) versions 4.25.1 and below. The library does not enforce the use of HTTPS when communicating with Certificate Authorities (CAs) as an ACME client. Instead, it allows communication over unencrypted HTTP if users input HTTP URLs or if CAs misconfigure endpoints. This breaks the ACME protocol requirement for HTTPS communication, potentially exposing sensitive request and response details such as account and request identifiers to network attackers.
How can this vulnerability impact me? :
The vulnerability can compromise your privacy and security by exposing sensitive information exchanged between the ACME client and the CA over the network. Attackers could intercept or observe account details and request identifiers, which could lead to unauthorized access or misuse of certificate issuance processes.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Let's Encrypt client and ACME library (Lego) to version 4.25.2 or later, as this version fixes the issue by enforcing HTTPS when communicating with CAs. Avoid using HTTP URLs for CA endpoints to prevent unencrypted communication.