CVE-2025-3660
Broken Access Control in Petlibro Feeder Allows Unauthorized Data Access
Publication date: 2026-01-04
Last updated on: 2026-02-03
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| petlibro | smart_pet_feeder_platform | to 1.7.31 (inc) |
| petlibro | petlibro | to 1.7.31 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-612 | The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a broken access control issue in the Petlibro Smart Pet Feeder Platform (up to version 1.7.31) that allows authenticated users to access other users' pet data without proper authorization. Attackers can exploit the API endpoint `/member/pet/detailV2` by sending requests with arbitrary pet IDs to retrieve sensitive information such as pet details, member IDs, and avatar URLs, bypassing ownership verification. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by monitoring or testing API requests to the endpoint `/member/pet/detailV2` with arbitrary pet IDs to see if sensitive data is returned without proper authorization. For example, using curl to send requests with different pet IDs while authenticated can help identify if unauthorized data access is possible: `curl -X GET -H "Authorization: Bearer <token>" "https://<petfeeder-domain>/member/pet/detailV2?petId=<arbitrary_pet_id>"`. If the response contains pet details or member information not belonging to the authenticated user, the vulnerability is present. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable API endpoint `/member/pet/detailV2` to ensure proper ownership verification is enforced. This can involve applying access control rules to validate that the authenticated user owns the pet ID being requested. Additionally, monitoring and logging API requests to detect suspicious access patterns and temporarily disabling or limiting the API endpoint until a patch or update is applied can help reduce risk. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive user data, including pet details and member IDs. This exposure can compromise user privacy and potentially lead to further attacks or misuse of personal information within the Petlibro Smart Pet Feeder Platform. [1]