CVE-2025-3654
Information Disclosure in Petlibro Smart Feeder via Insecure API
Publication date: 2026-01-04
Last updated on: 2026-02-03
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| petlibro | smart_pet_feeder_platform | to 1.7.31 (inc) |
| petlibro | petlibro | to 1.7.31 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-612 | The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an information disclosure flaw in the Petlibro Smart Pet Feeder Platform (versions up to 1.7.31) caused by insecure API endpoints. Specifically, the endpoint `/device/devicePetRelation/getBoundDevices` allows unauthorized attackers to access sensitive device hardware information such as serial numbers and MAC addresses by using pet IDs. There are no proper authorization checks, so attackers can retrieve critical device identifiers without authentication, potentially leading to full device control. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing unauthorized attackers to obtain sensitive hardware information of your device, such as serial numbers and MAC addresses. This can lead to attackers gaining full control over the device without proper authorization, potentially compromising device security and functionality. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the insecure API endpoint `/device/devicePetRelation/getBoundDevices` using pet IDs to see if device hardware information such as serial numbers and MAC addresses can be retrieved without authentication. Network monitoring tools can be used to detect unauthorized requests to this endpoint. For example, using curl to test the endpoint: `curl http://<device-ip>/device/devicePetRelation/getBoundDevices?petId=<pet-id>` and checking if sensitive information is returned without authentication. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable API endpoint by implementing proper authentication and authorization checks, such as requiring valid credentials or tokens before allowing access. Additionally, network-level controls like firewall rules can be applied to limit access to the device's API endpoints only to trusted sources. Updating the Petlibro Smart Pet Feeder Platform to a version beyond 1.7.31, if available, that addresses this vulnerability is also recommended. [1]