x/vulndb: potential Go vuln in github.com/go-acme/lego/v4: GHSA-q82r-2j7m-9rv4 #3847
Description
Advisory GHSA-q82r-2j7m-9rv4 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/go-acme/lego |
| github.com/go-acme/lego/v3 |
| github.com/go-acme/lego/v4 |
Description:
Summary
It was discovered that the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client.
Details
Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. This is stated in 6.1 of RFC 8555: https://datatracker.ietf.org/doc/html/rfc8555#section-6.1
Each ACME function is accomplished by the client sending...
References:
- ADVISORY: GHSA-q82r-2j7m-9rv4
- ADVISORY: GHSA-q82r-2j7m-9rv4
- FIX: go-acme/lego@238454b
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/go-acme/lego
non_go_versions:
- introduced: TODO (earliest fixed "4.25.2", vuln range "<= 4.25.1")
vulnerable_at: 2.7.2+incompatible
- module: github.com/go-acme/lego/v3
vulnerable_at: 3.9.0
- module: github.com/go-acme/lego/v4
vulnerable_at: 4.25.2
summary: github.com/go-acme/lego/v4/acme/api does not enforce HTTPS in github.com/go-acme/lego
cves:
- CVE-2025-54799
ghsas:
- GHSA-q82r-2j7m-9rv4
references:
- advisory: https://github.com/advisories/GHSA-q82r-2j7m-9rv4
- advisory: https://github.com/go-acme/lego/security/advisories/GHSA-q82r-2j7m-9rv4
- fix: https://github.com/go-acme/lego/commit/238454b5f74f3cfcbb244ff0d0dc914a4ad44b96
source:
id: GHSA-q82r-2j7m-9rv4
created: 2025-08-06T18:01:13.215879961Z
review_status: UNREVIEWED