CVE-2025-56132
📋 TL;DR
LiquidFiles filetransfer server versions prior to 4.2 have a user enumeration vulnerability in the password reset functionality. Unauthenticated attackers can determine valid user email addresses by observing different responses for valid vs invalid accounts. This affects all LiquidFiles deployments with default configurations.
💻 Affected Systems
- LiquidFiles filetransfer server
📦 What is this software?
Liquidfiles by Liquidfiles
⚠️ Risk & Real-World Impact
Worst Case
Attackers enumerate all valid user accounts, then conduct targeted password spraying or social engineering attacks leading to account compromise and data exfiltration.
Likely Case
Attackers enumerate some user accounts and use this information for targeted phishing campaigns or credential stuffing attacks.
If Mitigated
With proper controls, attackers cannot reliably determine valid accounts, reducing the attack surface for follow-on attacks.
🎯 Exploit Status
Exploitation requires only HTTP requests to password reset endpoint with different email addresses. IP-based rate limiting can be bypassed using proxy rotation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2
Vendor Advisory: https://docs.liquidfiles.com/release_notes/version_4-2-x.html
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download LiquidFiles version 4.2 or later from vendor website. 3. Follow upgrade instructions in documentation. 4. Restart LiquidFiles service. 5. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Implement WAF rules
allConfigure web application firewall to detect and block rapid password reset requests
Enable user-based lockout
allIn version 4.2, ensure user-based lockout mechanisms are properly configured
🧯 If You Can't Patch
- Implement network-level rate limiting at firewall/proxy level
- Monitor logs for unusual password reset request patterns
🔍 How to Verify
Check if Vulnerable:
Send password reset requests to /password_reset endpoint with valid and invalid email addresses. If responses differ (e.g., different HTTP status codes or response times), system is vulnerable.Check Version:
Check LiquidFiles admin interface or run: liquidfiles --versionVerify Fix Applied:
After upgrading to 4.2+, test password reset with valid and invalid emails - responses should be identical. Check that user-based lockout is enabled in configuration.📡 Detection & Monitoring
Log Indicators:
- Multiple failed password reset attempts from single IP
- Password reset requests for non-existent users
- Unusual volume of password reset requests
Network Indicators:
- HTTP POST requests to /password_reset endpoint with varying email parameters
- Requests from multiple IPs to same endpoint
SIEM Query:
source="liquidfiles.log" AND ("password_reset" OR "reset_password") | stats count by src_ip, user_email