CVE-2025-54799 — Github.com/go-acme/lego/v4/acme/api does not enforce HTTPS in github.com/go-acme · VulnScope

CVE-2025-54799

Github.com/go-acme/lego/v4/acme/api does not enforce HTTPS in github.com/go-acme/lego

EPSS 0.18%

Description

Github.com/go-acme/lego/v4/acme/api does not enforce HTTPS in github.com/go-acme/lego

How to fix CVE-2025-54799

To remediate CVE-2025-54799, upgrade the affected package to a fixed version below.

Debian/golang-github-xenolf-lego—no fix listed
Go/github.com/go-acme/lego—no fix listed
Go/github.com/go-acme/lego/v3—no fix listed
Go/github.com/go-acme/lego/v4—upgrade to 4.25.2 or later
—upgrade to 4.25.2 or later

Is CVE-2025-54799 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

from 0
from 0, <= 4.25.1
from 0, <= 4.25.1
from 0, < 4.25.2
from 0, < 4.25.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

References (5)