CVE-2025-56132

Name of the Vulnerable Software and Affected Versions LiquidFiles versions prior to 4.2

Description LiquidFiles filetransfer server is susceptible to a user enumeration issue within its password reset functionality. The application provides differing responses for valid and invalid email addresses, enabling unauthenticated attackers to ascertain the existence of user accounts. While version 4.2 introduces user-based lockout mechanisms to mitigate brute-force attempts, user enumeration remains possible by default. Prior to version 4.2, only basic IP-based rate limiting was implemented, which can be circumvented by distributing requests across multiple IP addresses, effectively bypassing both login and password reset security controls. Successful exploitation allows attackers to enumerate valid email addresses associated with the application, potentially leading to subsequent attacks like password spraying.

Recommendations LiquidFiles versions prior to 4.2: Upgrade to version 4.2 or later.