Executive Summary

CVE-2025-15115 is an authentication bypass vulnerability in the Petlibro Smart Pet Feeder Platform (up to version 1.7.31). It occurs because the social login API endpoint `/member/auth/thirdLogin` fails to properly verify OAuth tokens server-side. Instead, it accepts client-submitted Google IDs and phoneBrand parameters without validation. Attackers can exploit this flaw by submitting arbitrary Google IDs to obtain full session tokens and access any user account without authentication. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to fully compromise user accounts on the Petlibro platform. They can gain unauthorized access to personal account details, pet information (such as name, breed, birthdate, weight, and activity levels), device information (serial numbers, MAC addresses, product names), and even hijack devices to manipulate feeding schedules, trigger manual feeds, access camera streams, and modify device settings. Additionally, attackers can access private audio recordings and add themselves as shared owners to devices, exposing owner email addresses and control. Overall, this leads to severe privacy breaches, potential spying, and disruption of pet care. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring network traffic for requests to the vulnerable API endpoint `/member/auth/thirdLogin` that include arbitrary or suspicious Google IDs and phoneBrand parameters. Commands such as using `tcpdump` or `Wireshark` to filter HTTP POST requests to `/member/auth/thirdLogin` can help identify exploitation attempts. For example, a command like `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/member/auth/thirdLogin'` can capture relevant HTTP requests. Additionally, inspecting server logs for unusual or repeated requests to this endpoint with unexpected parameters can indicate exploitation attempts. [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include disabling or blocking access to the vulnerable endpoint `/member/auth/thirdLogin` to prevent exploitation. Applying any available patches or updates from Petlibro that remove or secure this endpoint is critical. If patching is not immediately possible, implementing network-level controls such as firewall rules to restrict access to this endpoint or monitoring and alerting on suspicious requests can reduce risk. Additionally, enforcing forced upgrades for users and removing legacy support for the vulnerable API endpoint are recommended to ensure long-term security. [1]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to bypass authentication and gain unauthorized access to user accounts, including sensitive personal data such as pet details, device information, and private audio recordings. This unauthorized access and potential data exposure could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on personal data access and protection. The failure to properly secure user data and prevent unauthorized access may result in violations of these standards. [1, 2]

Useful 0 Not Useful 0