LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts. Version 4.2 introduces user-based lockout mechanisms to mitigate brute-force attacks, user enumeration remains possible by default. In versions prior to 4.2, no such user-level protection is in place, only basic IP-based rate limiting is enforced. This IP-based protection can be bypassed by distributing requests across multiple IPs (e.g., rotating IP or proxies). Effectively bypassing both login and password reset security controls. Successful exploitation allows an attacker to enumerate valid email addresses registered for the application, increasing the risk of follow-up attacks such as password spraying.
Advisories
Source ID Title
EUVD EUVD EUVD-2025-31771 LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts. Version 4.2 introduces user-based lockout mechanisms to mitigate brute-force attacks, user enumeration remains possible by default. In versions prior to 4.2, no such user-level protection is in place, only basic IP-based rate limiting is enforced. This IP-based protection can be bypassed by distributing requests across multiple IPs (e.g., rotating IP or proxies). Effectively bypassing both login and password reset security controls. Successful exploitation allows an attacker to enumerate valid email addresses registered for the application, increasing the risk of follow-up attacks such as password spraying.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 15 Oct 2025 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:liquidfiles:liquidfiles:*:*:*:*:*:*:*:*

Thu, 02 Oct 2025 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Oct 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Liquidfiles
Liquidfiles liquidfiles
Vendors & Products Liquidfiles
Liquidfiles liquidfiles

Wed, 01 Oct 2025 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-305
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}


Tue, 30 Sep 2025 19:00:00 +0000

Type Values Removed Values Added
Description LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts. Version 4.2 introduces user-based lockout mechanisms to mitigate brute-force attacks, user enumeration remains possible by default. In versions prior to 4.2, no such user-level protection is in place, only basic IP-based rate limiting is enforced. This IP-based protection can be bypassed by distributing requests across multiple IPs (e.g., rotating IP or proxies). Effectively bypassing both login and password reset security controls. Successful exploitation allows an attacker to enumerate valid email addresses registered for the application, increasing the risk of follow-up attacks such as password spraying.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2025-10-01T20:16:22.186Z

Reserved: 2025-08-16T00:00:00.000Z

Link: CVE-2025-56132

cve-icon Vulnrichment

Updated: 2025-10-01T20:16:17.034Z

cve-icon NVD

Status : Analyzed

Published: 2025-09-30T19:15:37.253

Modified: 2025-10-15T18:38:42.897

Link: CVE-2025-56132

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-10-02T08:48:19Z