Home

Description

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to device hardware information by exploiting insecure API endpoints. Attackers can retrieve device serial numbers and MAC addresses through /device/devicePetRelation/getBoundDevices using pet IDs, enabling full device control without proper authorization checks.

PUBLISHED Reserved 2025-04-15 | Published 2026-01-03 | Updated 2026-01-05 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

Improper Authorization of Index Containing Sensitive Information

Product status

Default status
unaffected

Unknown (semver)
affected

Credits

bobdahacker finder

References

bobdahacker.com/blog/petlibro (Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks) third-party-advisory technical-description

www.vulncheck.com/...information-disclosure-via-api-endpoint (VulnCheck Advisory: Petlibro Smart Pet Feeder Platform through 1.7.31 Information Disclosure via API endpoint) third-party-advisory

cve.org (CVE-2025-3654)

nvd.nist.gov (CVE-2025-3654)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.