Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐹 Go

GHSA-q82r-2j7m-9rv4

github.com/go-acme/lego/v4/acme/api does not enforce HTTPS

Also known asCVE-2025-54799GO-2025-3847
Published
Aug 6, 2025
Updated
Feb 4, 2026
Affected
3 pkgs
Patched
1 / 3
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.2%probability of exploitation in next 30 days
Lower Risk10th percentile+0.15%
0.00%0.23%0.47%0.70%0.0%0.2%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

3 pkgs affected
🐹github.com/go-acme/lego🐹github.com/go-acme/lego/v3🐹github.com/go-acme/lego/v4

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Summary

It was discovered that the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client.

Details

Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. This is stated in 6.1 of RFC 8555: https://datatracker.ietf.org/doc/html/rfc8555#section-6.1

Each ACME function is accomplished by the client sending a sequence of HTTPS requests to the server [RFC2818], carrying JSON messages [RFC8259]. Use of HTTPS is REQUIRED. Each subsection of Section 7 below describes the message formats used by the function and the order in which messages are sent.

However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects.

If the library user accidentally inputs an HTTP URL, or the CA similarly misconfigures its endpoints, this will cause the relevant parts of the protocol to be performed over HTTP. This can result, at the very least, in a lost of privacy of the request/response details, such as account and request identifiers (which could be intercepted by an attacker in a privileged network position). We did not investigate whether other more serious threats could result from the ability to impersonate a CA for some of the protocol requests, but enforcing HTTPS usage is definitely the safe choice.

Reproducing

This is illustrated in the attached http_acme_test.go. Since it uses private field Core.directory, this test must be placed inside the source directory of https://github.com/go-acme/lego/v4/acme/api to run.

Please note that this only checks getting the directory and creating a new account, but other ACME functions are likely impacted as well, such as creating orders, getting and checking order authorizations.

<details> 
package api

import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"fmt"
	"net/http"
	"strings"
	"testing"
	"time"

	"github.com/go-acme/lego/v4/acme"
)

const letsEncryptURLHTTP = "http://acme-v02.api.letsencrypt.org/directory"
const letsEncryptURLHTTPS = "https://acme-v02.api.letsencrypt.org/directory"

func changeToHTTP(url *string) {
	if strings.HasPrefix(*url, "https:") {
		*url = "http" + (*url)[len("https"):]
	}
}

func changeToHTTPS(url *string) {
	if strings.HasPrefix(*url, "http:") {
		*url = "https" + (*url)[len("http"):]
	}
}

func TestHTTPURLs(t *testing.T) {
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		t.Fatalf("error generating a private key: %v", err)
	}

	func() {
		t.Log("testing that Discover enforces https")
		_, err := New(&http.Client{
			Transport: &httpsOnlyRoundTripper{inner: http.DefaultTransport},
			Timeout:   20 * time.Second,
		}, "", letsEncryptURLHTTP, "", privateKey)
		if err != nil {
			t.Errorf("New error: %v", err)
		}
	}()

	core, err := New(&http.Client{
		Transport: &httpsOnlyRoundTripper{inner: http.DefaultTransport},
		Timeout:   20 * time.Second,
	}, "", letsEncryptURLHTTPS, "", privateKey)
	if err != nil {
		t.Fatalf("New error: %v", err)
	}

	func() {
		t.Log("testing that account creation enforces https")

		// Simulate a misconfigured CA that gives out HTTP directory URLs and when
		// we're done change it back to HTTPS to test the rest.
		changeToHTTP(&core.directory.NewAccountURL)
		defer changeToHTTPS(&core.directory.NewAccountURL)

		_, err := core.Accounts.New(acme.Account{
			TermsOfServiceAgreed: true,
			Contact:              []string{},
		})
		if err != nil {
			t.Errorf("core.Accounts.New error: %v", err)
		}
	}()

	_, err = core.Accounts.New(acme.Account{
		TermsOfServiceAgreed: true,
		Contact:              []string{},
	})
	if err != nil {
		t.Fatalf("core.Accounts.New error: %v", err)
	}
}

type httpsOnlyRoundTripper struct {
	inner http.RoundTripper
}

func (r *httpsOnlyRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
	if req.URL.Scheme != "https" {
		return nil, fmt.Errorf("non-https request is being sent")
	}
	return r.inner.RoundTrip(req)
}
</details>

_

Affected Packages

3 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐹Gogithub.com/go-acme/legoall versionsNo fix
🐹Gogithub.com/go-acme/lego/v3all versionsNo fix
🐹Gogithub.com/go-acme/lego/v4all versions4.25.2

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/go-acme/lego. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    No patched version of github.com/go-acme/lego has shipped for GHSA-q82r-2j7m-9rv4 yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-q82r-2j7m-9rv4 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-q82r-2j7m-9rv4. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Summary It was discovered that the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. ## Details Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. This is stated in 6.1 of RFC 8555: [https://datatracker.ietf.org/doc/html/rfc8555#section-6.1](https://datatracker.ietf.org/doc/html/rfc8555#section-6.1) > Each ACME function is accomplished by the client sending
O3 Security · Impact-Aware SCA

Is GHSA-q82r-2j7m-9rv4 in your dependencies?

O3 detects GHSA-q82r-2j7m-9rv4 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works