CVE-2025-15115
Authentication Bypass in Petlibro Feeder via OAuth Token Flaw
Publication date: 2026-01-04
Last updated on: 2026-02-03
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| petlibro | smart_pet_feeder_platform | to 1.7.31 (inc) |
| petlibro | petlibro | to 1.7.31 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15115 is an authentication bypass vulnerability in the Petlibro Smart Pet Feeder Platform (up to version 1.7.31). It occurs because the social login API endpoint `/member/auth/thirdLogin` fails to properly verify OAuth tokens server-side. Instead, it accepts client-submitted Google IDs and phoneBrand parameters without validation. Attackers can exploit this flaw by submitting arbitrary Google IDs to obtain full session tokens and access any user account without authentication. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows attackers to fully compromise user accounts on the Petlibro platform. They can gain unauthorized access to personal account details, pet information (such as name, breed, birthdate, weight, and activity levels), device information (serial numbers, MAC addresses, product names), and even hijack devices to manipulate feeding schedules, trigger manual feeds, access camera streams, and modify device settings. Additionally, attackers can access private audio recordings and add themselves as shared owners to devices, exposing owner email addresses and control. Overall, this leads to severe privacy breaches, potential spying, and disruption of pet care. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for requests to the vulnerable API endpoint `/member/auth/thirdLogin` that include arbitrary or suspicious Google IDs and phoneBrand parameters. Commands such as using `tcpdump` or `Wireshark` to filter HTTP POST requests to `/member/auth/thirdLogin` can help identify exploitation attempts. For example, a command like `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/member/auth/thirdLogin'` can capture relevant HTTP requests. Additionally, inspecting server logs for unusual or repeated requests to this endpoint with unexpected parameters can indicate exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or blocking access to the vulnerable endpoint `/member/auth/thirdLogin` to prevent exploitation. Applying any available patches or updates from Petlibro that remove or secure this endpoint is critical. If patching is not immediately possible, implementing network-level controls such as firewall rules to restrict access to this endpoint or monitoring and alerting on suspicious requests can reduce risk. Additionally, enforcing forced upgrades for users and removing legacy support for the vulnerable API endpoint are recommended to ensure long-term security. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to bypass authentication and gain unauthorized access to user accounts, including sensitive personal data such as pet details, device information, and private audio recordings. This unauthorized access and potential data exposure could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on personal data access and protection. The failure to properly secure user data and prevent unauthorized access may result in violations of these standards. [1, 2]