CVE-2025-3660
Unknown Unknown - Not Provided
Broken Access Control in Petlibro Feeder Allows Unauthorized Data Access

Publication date: 2026-01-04

Last updated on: 2026-02-03

Assigner: VulnCheck

Description
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains a broken access control vulnerability that allows authenticated users to access other users' pet data by exploiting missing ownership verification. Attackers can send requests to /member/pet/detailV2 with arbitrary pet IDs to retrieve sensitive information including pet details, member IDs, and avatar URLs without proper authorization checks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-04
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-01-04
EPSS Evaluated
2026-06-15
NVD
CVE-2025-3660
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
petlibro smart_pet_feeder_platform to 1.7.31 (inc)
petlibro petlibro to 1.7.31 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-612 The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a broken access control issue in the Petlibro Smart Pet Feeder Platform (up to version 1.7.31) that allows authenticated users to access other users' pet data without proper authorization. Attackers can exploit the API endpoint `/member/pet/detailV2` by sending requests with arbitrary pet IDs to retrieve sensitive information such as pet details, member IDs, and avatar URLs, bypassing ownership verification. [1]

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive user data, including pet details and member IDs. This exposure can compromise user privacy and potentially lead to further attacks or misuse of personal information within the Petlibro Smart Pet Feeder Platform. [1]

Detection Guidance

You can detect this vulnerability by monitoring or testing API requests to the endpoint `/member/pet/detailV2` with arbitrary pet IDs to see if sensitive data is returned without proper authorization. For example, using curl to send requests with different pet IDs while authenticated can help identify if unauthorized data access is possible: `curl -X GET -H "Authorization: Bearer <token>" "https://<petfeeder-domain>/member/pet/detailV2?petId=<arbitrary_pet_id>"`. If the response contains pet details or member information not belonging to the authenticated user, the vulnerability is present. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable API endpoint `/member/pet/detailV2` to ensure proper ownership verification is enforced. This can involve applying access control rules to validate that the authenticated user owns the pet ID being requested. Additionally, monitoring and logging API requests to detect suspicious access patterns and temporarily disabling or limiting the API endpoint until a patch or update is applied can help reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-3660. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart