CVE-2025-3652
Unknown Unknown - Not Provided
Information Disclosure in Petlibro Smart Feeder via Insecure Audio IDs

Publication date: 2026-01-04

Last updated on: 2026-02-03

Assigner: VulnCheck

Description
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to private audio recordings by exploiting sequential audio IDs and insecure assignment endpoints. Attackers can send requests to /device/deviceAudio/use with arbitrary audio IDs to assign recordings to any device, then retrieve audio URLs to access other users' private recordings.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-04
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-01-04
EPSS Evaluated
2026-06-14
NVD
CVE-2025-3652
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
petlibro smart_pet_feeder_platform to 1.7.31 (inc)
petlibro petlibro to 1.7.31 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized access to private audio recordings, which constitutes a breach of personal data confidentiality. This exposure of private user data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which mandate the protection of personal and sensitive information against unauthorized access. [1]

Executive Summary

This vulnerability in the Petlibro Smart Pet Feeder Platform versions up to 1.7.31 allows attackers to access private audio recordings without authorization. It occurs because the platform uses sequential audio IDs and insecure API endpoints. Attackers can send requests with arbitrary audio IDs to the /device/deviceAudio/use endpoint to assign recordings to any device, then retrieve audio URLs to listen to other users' private audio recordings. No authentication or user interaction is required, and the attack can be performed remotely. [1]

Impact Analysis

The vulnerability can lead to unauthorized disclosure of private audio recordings, potentially exposing sensitive or personal information captured by the Petlibro Smart Pet Feeder devices. This breach of privacy can result in loss of user trust, privacy violations, and potential misuse of the audio data by attackers. [1]

Detection Guidance

You can detect this vulnerability by monitoring network traffic for unauthorized or suspicious requests to the endpoint `/device/deviceAudio/use` with arbitrary or sequential audio IDs. For example, using curl commands to test the endpoint with different audio IDs can help identify if the system is vulnerable. A sample command might be: `curl -X POST https://<target>/device/deviceAudio/use -d 'audioId=<id>'` where <id> is varied sequentially to check if audio recordings can be accessed without authentication. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the `/device/deviceAudio/use` API endpoint by implementing proper authentication and authorization checks, disabling or limiting the use of sequential audio IDs, and monitoring for unusual API usage patterns. Additionally, updating the Petlibro Smart Pet Feeder Platform to a version beyond 1.7.31 when available is recommended to address this vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-3652. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart