# CVE-2025-56132 - LiquidFiles User Enumeration POC
## Vulnerability Description
This vulnerability was identified in LiquidFiles version 4.1 and below.
When initiating a password reset via the “POST /password_reset” endpoint, the application responds differently depending on whether the supplied email address is registered. A redirect is issued in both cases, and the response includes the “_filetransfer_session” cookie. When this cookie is used to access the root path (“/”), the resulting error message differs based on the validity of the submitted email address.
This effectively allows an attacker to compile a list of valid users, which can then be leveraged in attacks such as brute-forcing/password spraying attacks.
## Proof Of Concept (POC)
Password reset response – existing/valid users
<img width="369" height="169" alt="image001" src="https://github.com/user-attachments/assets/b909e3f2-3aa3-42f9-a20f-9b24d1f0168a" />
Password reset response – non-existent/invalid users
<img width="437" height="214" alt="image002" src="https://github.com/user-attachments/assets/a2010406-995f-4c9c-8b40-f5a91712ed95" />
After several password reset attempts, an IP-based lockout is triggered as a security measure, preventing further requests from the same IP address. However, this mechanism is insufficient, as it can be bypassed using free tools. For example, circumvent the lockout using AWS API Gateway proxies in combination with the “IP Rotate” extension in Burp Suite. The script expects a local proxy on port 8080.
Used App to bypass IP-based lockout:
* https://portswigger.net/bappstore/2eb2b1cb1cf34cc79cda36f0f9019874
This discrepancy in error messages enables automated enumeration of valid usernames or email addresses. To demonstrate this, I made a proof-of-concept script that takes a list of potential registered email addresses and identifies valid ones based on the application’s response behavior.
Output of the user enumeration script:
<img width="1394" height="693" alt="SCR-20251005-nhjt-3" src="https://github.com/user-attachments/assets/b86b60ff-3040-4c6f-bdc3-68b7c76b73a9" />
## Risk (OWASP risk rating)
Once valid usernames are identified, they could be leveraged in a brute-force or password spraying attack. Given that some users may have weak or reused passwords, this poses a high security risk.
The likelihood of exploitation is high, current security measures are easily bypassed, and exploitation is straightforward. The impact is considered medium as after obtaining a list of valid users, one still needs to compromise an account through password spraying or brute-force attacks.
Note that this application is used by a lot of different organizations. Almost always facing the public internet. This makes it just a matter of scraping employee email addresses or names from the internet and password spraying the application.
As a result, this issue poses a high risk.
## Patch
Version 4.2 addresses this issue by introducing user-based lockout mechanisms, and by disabling distinct error messages which allow user enumeration by default.
## References
* https://nvd.nist.gov/vuln/detail/CVE-2025-56132
* https://www.tenable.com/cve/CVE-2025-56132
* https://docs.liquidfiles.com/release_notes/version_4-2-x.html
* https://www.liquidfiles.com/updates/v4.2.html
* https://github.com/advisories/GHSA-qjf7-p4pc-2mq7
[4.0K] /data/pocs/6fabacb19d26eaca133e353edb6ecf8daa18387c
├── [3.3K] README.md
└── [2.0K] user_enumeration.sh
1 directory, 2 files