SB2026041648 - Cleartext transmission of sensitive information in lego

Description

This security bulletin contains information about 1 security vulnerability.

1) Cleartext transmission of sensitive information (CVE-ID: CVE-2025-54799)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper transport security enforcement in github.com/go-acme/lego/v4/acme/api when communicating with ACME certificate authority endpoints. A remote attacker can intercept unencrypted ACME requests and responses to disclose sensitive information.

The issue can be triggered if the library user supplies an HTTP discovery URL or if a certificate authority returns HTTP endpoint URLs in directory or order objects.

Remediation

Install update from vendor's website.

References

• https://github.com/go-acme/lego/security/advisories/GHSA-q82r-2j7m-9rv4
• https://github.com/advisories/GHSA-q82r-2j7m-9rv4