CVE-2025-54799: CWE-319: Cleartext Transmission of Sensitive Information in go-acme lego
Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details like account and request identifiers to network attackers. This was fixed in version 4.25.2.
AI Analysis
Technical Summary
CVE-2025-54799 is a vulnerability identified in the go-acme lego library, a widely used Let's Encrypt client and ACME protocol implementation written in Go. The affected versions are 4.25.1 and below. The core issue stems from the library's failure to enforce HTTPS when communicating with Certificate Authorities (CAs) during ACME protocol operations. While the ACME protocol mandates HTTPS for client-CA interactions to ensure confidentiality and integrity, this library version allows HTTP connections if the user configures an HTTP URL or if the CA endpoints are misconfigured. This flaw affects both the initial discovery URL and subsequent URLs returned by the CA in directory and order objects. As a result, sensitive information such as account identifiers and request details can be transmitted in cleartext over the network, exposing them to interception by network attackers. This compromises privacy but does not directly affect the integrity or availability of the system. The vulnerability was addressed in version 4.25.2 by enforcing HTTPS usage. The CVSS 4.0 score is 2.3 (low severity), reflecting the limited impact and the requirement for user interaction and high attack complexity. No known exploits are reported in the wild. The vulnerability relates to CWE-319 (Cleartext Transmission of Sensitive Information).
Potential Impact
For European organizations, this vulnerability primarily threatens the confidentiality of sensitive ACME protocol communications when using the affected lego client versions. Organizations relying on automated certificate management with the go-acme lego library could inadvertently expose account and request identifiers if HTTP endpoints are used, either due to misconfiguration or malicious redirection. This exposure could facilitate network-level reconnaissance or targeted attacks on certificate management infrastructure. However, the impact is limited as the vulnerability does not allow direct compromise of certificate issuance or modification, nor does it affect certificate integrity or availability. The risk is higher in environments where network traffic is monitored or intercepted, such as public or untrusted networks. European organizations with strict data privacy regulations (e.g., GDPR) must consider the privacy implications of transmitting sensitive data unencrypted. The vulnerability is less critical for organizations that enforce HTTPS endpoints and have updated to patched versions. Overall, the threat is low but warrants attention in certificate management workflows.
Mitigation Recommendations
1. Upgrade all instances of the go-acme lego library and CLI to version 4.25.2 or later, where HTTPS enforcement is implemented. 2. Audit and verify all configured ACME server URLs to ensure they use HTTPS exclusively, avoiding any HTTP endpoints. 3. Implement network-level controls such as TLS interception detection and strict transport security policies to prevent downgrade attacks or misconfigurations leading to HTTP usage. 4. Monitor network traffic for any unencrypted ACME protocol communications to detect potential exposure. 5. Educate developers and DevOps teams on the importance of secure ACME client configurations and the risks of using HTTP endpoints. 6. Where possible, restrict lego client usage to trusted internal networks or VPNs to reduce exposure to network attackers. 7. Incorporate automated testing in CI/CD pipelines to detect usage of vulnerable lego versions or insecure URLs.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium, Italy, Spain, Poland
CVE-2025-54799: CWE-319: Cleartext Transmission of Sensitive Information in go-acme lego
Description
Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details like account and request identifiers to network attackers. This was fixed in version 4.25.2.
AI-Powered Analysis
Technical Analysis
CVE-2025-54799 is a vulnerability identified in the go-acme lego library, a widely used Let's Encrypt client and ACME protocol implementation written in Go. The affected versions are 4.25.1 and below. The core issue stems from the library's failure to enforce HTTPS when communicating with Certificate Authorities (CAs) during ACME protocol operations. While the ACME protocol mandates HTTPS for client-CA interactions to ensure confidentiality and integrity, this library version allows HTTP connections if the user configures an HTTP URL or if the CA endpoints are misconfigured. This flaw affects both the initial discovery URL and subsequent URLs returned by the CA in directory and order objects. As a result, sensitive information such as account identifiers and request details can be transmitted in cleartext over the network, exposing them to interception by network attackers. This compromises privacy but does not directly affect the integrity or availability of the system. The vulnerability was addressed in version 4.25.2 by enforcing HTTPS usage. The CVSS 4.0 score is 2.3 (low severity), reflecting the limited impact and the requirement for user interaction and high attack complexity. No known exploits are reported in the wild. The vulnerability relates to CWE-319 (Cleartext Transmission of Sensitive Information).
Potential Impact
For European organizations, this vulnerability primarily threatens the confidentiality of sensitive ACME protocol communications when using the affected lego client versions. Organizations relying on automated certificate management with the go-acme lego library could inadvertently expose account and request identifiers if HTTP endpoints are used, either due to misconfiguration or malicious redirection. This exposure could facilitate network-level reconnaissance or targeted attacks on certificate management infrastructure. However, the impact is limited as the vulnerability does not allow direct compromise of certificate issuance or modification, nor does it affect certificate integrity or availability. The risk is higher in environments where network traffic is monitored or intercepted, such as public or untrusted networks. European organizations with strict data privacy regulations (e.g., GDPR) must consider the privacy implications of transmitting sensitive data unencrypted. The vulnerability is less critical for organizations that enforce HTTPS endpoints and have updated to patched versions. Overall, the threat is low but warrants attention in certificate management workflows.
Mitigation Recommendations
1. Upgrade all instances of the go-acme lego library and CLI to version 4.25.2 or later, where HTTPS enforcement is implemented. 2. Audit and verify all configured ACME server URLs to ensure they use HTTPS exclusively, avoiding any HTTP endpoints. 3. Implement network-level controls such as TLS interception detection and strict transport security policies to prevent downgrade attacks or misconfigurations leading to HTTP usage. 4. Monitor network traffic for any unencrypted ACME protocol communications to detect potential exposure. 5. Educate developers and DevOps teams on the importance of secure ACME client configurations and the risks of using HTTP endpoints. 6. Where possible, restrict lego client usage to trusted internal networks or VPNs to reduce exposure to network attackers. 7. Incorporate automated testing in CI/CD pipelines to detect usage of vulnerable lego versions or insecure URLs.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-07-29T16:50:28.395Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6893f7c1ad5a09ad00f58d6c
Added to database: 8/7/2025, 12:48:01 AM
Last enriched: 8/7/2025, 1:03:07 AM
Last updated: 8/9/2025, 12:34:45 AM
Views: 14
Related Threats
CVE-2025-8751: Cross Site Scripting in Protected Total WebShield Extension
LowCVE-2025-8750: Cross Site Scripting in macrozheng mall
MediumCVE-2025-8746: Memory Corruption in GNU libopts
MediumCVE-2025-8745: Improper Export of Android Application Components in Weee RICEPO App
MediumCVE-2025-8771
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.