CVE-2025-3654
Unknown Unknown - Not Provided
Information Disclosure in Petlibro Smart Feeder via Insecure API

Publication date: 2026-01-04

Last updated on: 2026-02-03

Assigner: VulnCheck

Description
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to device hardware information by exploiting insecure API endpoints. Attackers can retrieve device serial numbers and MAC addresses through /device/devicePetRelation/getBoundDevices using pet IDs, enabling full device control without proper authorization checks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-04
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-01-04
EPSS Evaluated
2026-06-15
NVD
CVE-2025-3654
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
petlibro smart_pet_feeder_platform to 1.7.31 (inc)
petlibro petlibro to 1.7.31 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-612 The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an information disclosure flaw in the Petlibro Smart Pet Feeder Platform (versions up to 1.7.31) caused by insecure API endpoints. Specifically, the endpoint `/device/devicePetRelation/getBoundDevices` allows unauthorized attackers to access sensitive device hardware information such as serial numbers and MAC addresses by using pet IDs. There are no proper authorization checks, so attackers can retrieve critical device identifiers without authentication, potentially leading to full device control. [1]

Impact Analysis

The vulnerability can impact you by allowing unauthorized attackers to obtain sensitive hardware information of your device, such as serial numbers and MAC addresses. This can lead to attackers gaining full control over the device without proper authorization, potentially compromising device security and functionality. [1]

Detection Guidance

This vulnerability can be detected by attempting to access the insecure API endpoint `/device/devicePetRelation/getBoundDevices` using pet IDs to see if device hardware information such as serial numbers and MAC addresses can be retrieved without authentication. Network monitoring tools can be used to detect unauthorized requests to this endpoint. For example, using curl to test the endpoint: `curl http://<device-ip>/device/devicePetRelation/getBoundDevices?petId=<pet-id>` and checking if sensitive information is returned without authentication. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable API endpoint by implementing proper authentication and authorization checks, such as requiring valid credentials or tokens before allowing access. Additionally, network-level controls like firewall rules can be applied to limit access to the device's API endpoints only to trusted sources. Updating the Petlibro Smart Pet Feeder Platform to a version beyond 1.7.31, if available, that addresses this vulnerability is also recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-3654. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart