CVE-2025-3652
Information Disclosure in Petlibro Smart Feeder via Insecure Audio IDs
Publication date: 2026-01-04
Last updated on: 2026-02-03
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| petlibro | smart_pet_feeder_platform | to 1.7.31 (inc) |
| petlibro | petlibro | to 1.7.31 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Petlibro Smart Pet Feeder Platform versions up to 1.7.31 allows attackers to access private audio recordings without authorization. It occurs because the platform uses sequential audio IDs and insecure API endpoints. Attackers can send requests with arbitrary audio IDs to the /device/deviceAudio/use endpoint to assign recordings to any device, then retrieve audio URLs to listen to other users' private audio recordings. No authentication or user interaction is required, and the attack can be performed remotely. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of private audio recordings, potentially exposing sensitive or personal information captured by the Petlibro Smart Pet Feeder devices. This breach of privacy can result in loss of user trust, privacy violations, and potential misuse of the audio data by attackers. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by monitoring network traffic for unauthorized or suspicious requests to the endpoint `/device/deviceAudio/use` with arbitrary or sequential audio IDs. For example, using curl commands to test the endpoint with different audio IDs can help identify if the system is vulnerable. A sample command might be: `curl -X POST https://<target>/device/deviceAudio/use -d 'audioId=<id>'` where <id> is varied sequentially to check if audio recordings can be accessed without authentication. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the `/device/deviceAudio/use` API endpoint by implementing proper authentication and authorization checks, disabling or limiting the use of sequential audio IDs, and monitoring for unusual API usage patterns. Additionally, updating the Petlibro Smart Pet Feeder Platform to a version beyond 1.7.31 when available is recommended to address this vulnerability. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to private audio recordings, which constitutes a breach of personal data confidentiality. This exposure of private user data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which mandate the protection of personal and sensitive information against unauthorized access. [1]