CVE-2025-56132
published 2025-09-30CVE-2025-56132: LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable…
PriorityP278high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.65%
46.4th percentile
LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts. Version 4.2 introduces user-based lockout mechanisms to mitigate brute-force attacks, user enumeration remains possible by default. In versions prior to 4.2, no such user-level protection is in place, only basic IP-based rate limiting is enforced. This IP-based protection can be bypassed by distributing requests across multiple IPs (e.g., rotating IP or proxies). Effectively bypassing both login and password reset security controls. Successful exploitation allows an attacker to enumerate valid email addresses registered for the application, increasing the risk of follow-up attacks such as password spraying.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| liquidfiles | liquidfiles | < 4.2.0 | 4.2.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect user enumeration attempts against LiquidFiles password reset endpoint: look for POST requests to /password_reset with body parameter 'user[email]=' from unauthenticated sources. ↗
- →A distinguishable response body containing 'invalid_email' alongside 'LiquidFiles' on a 200 OK after a password reset attempt indicates the application is leaking account existence information. ↗
- →Presence of a Set-Cookie header with '_filetransfer_session' combined with a 302 redirect on the password reset POST can be used to fingerprint a valid LiquidFiles instance responding to enumeration probes. ↗
- →Use Shodan/FOFA queries to identify exposed LiquidFiles instances as potential targets: http.title:"LiquidFiles" / title="LiquidFiles". ↗
- →IP-based rate limiting bypass via distributed/rotating IPs or proxies is a key attacker technique; monitor for high-volume password reset requests originating from many distinct source IPs targeting /password_reset. ↗
- ·User enumeration via distinguishable password reset responses remains possible by default even in version 4.2, which only adds user-based lockout — it does not normalize responses. ↗
- ·In versions prior to 4.2, only IP-based rate limiting is enforced on the password reset endpoint, with no user-level protection, making enumeration trivially scalable. ↗
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vulncheck7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qjf7-p4pc-2mq7: LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality
ghsa_unreviewed·2025-09-30
CVE-2025-56132 [HIGH] CWE-305 GHSA-qjf7-p4pc-2mq7: LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality
LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts. Version 4.2 introduces user-based lockout mechanisms to mitigate brute-force attacks, user enumeration remains possible by default. In versions prior to 4.2, no such user-level protection is in place, only basic IP-based rate limiting is enforced. This IP-based protection can be bypassed by distributing requests across multiple IPs (e.g., rotating IP or proxies). Effectively bypassing both login and password reset security controls. Successful exploitation allows an attacker to enumerate valid email addresses regis
VulnCheck
liquidfiles liquidfiles Authentication Bypass by Primary Weakness
vulncheck·2025·CVSS 7.3
CVE-2025-56132 [HIGH] liquidfiles liquidfiles Authentication Bypass by Primary Weakness
liquidfiles liquidfiles Authentication Bypass by Primary Weakness
LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts. Version 4.2 introduces user-based lockout mechanisms to mitigate brute-force attacks, user enumeration remains possible by default. In versions prior to 4.2, no such user-level protection is in place, only basic IP-based rate limiting is enforced. This IP-based protection can be bypassed by distributing requests across multiple IPs (e.g., rotating IP or proxies). Effectively bypassing both login and password reset security controls. Successful explo
No detection rules found.
Nuclei
LiquidFiles < 4.2 - User Enumeration via Password Reset
nuclei·CVSS 7.3
CVE-2025-56132 [HIGH] LiquidFiles < 4.2 - User Enumeration via Password Reset
LiquidFiles < 4.2 - User Enumeration via Password Reset
LiquidFiles filetransfer server before 4.2 contains a user enumeration vulnerability caused by distinguishable responses in password reset functionality, letting unauthenticated attackers enumerate valid user accounts, exploit requires no authentication.
Template:
id: CVE-2025-56132
info:
name: LiquidFiles < 4.2 - User Enumeration via Password Reset
author: DhiyaneshDk
severity: high
description: |
LiquidFiles filetransfer server before 4.2 contains a user enumeration vulnerability caused by distinguishable responses in password reset functionality, letting unauthenticated attackers enumerate valid user accounts, exploit requires no authentication.
impact: |
Attackers can enumerate valid user emails, increasing risk of targeted pa
2025-09-30
Published
Exploited in the wild