CVE-2025-15115 Overview
CVE-2025-15115 is an authentication bypass vulnerability affecting the Petlibro Smart Pet Feeder Platform versions up to 1.7.31. The vulnerability exists in the social login system's OAuth token validation mechanism, allowing unauthenticated attackers to access any user account without proper verification. By exploiting flaws in the /member/auth/thirdLogin API endpoint, attackers can send requests with arbitrary Google IDs and phoneBrand parameters to obtain full session tokens and complete account access.
Critical Impact
Unauthenticated attackers can completely bypass authentication and gain access to any user account on the Petlibro Smart Pet Feeder Platform, potentially controlling pet feeding schedules and accessing personal user data.
Affected Products
- Petlibro Smart Pet Feeder Platform versions up to 1.7.31
Discovery Timeline
- 2026-01-04 - CVE CVE-2025-15115 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-15115
Vulnerability Analysis
This authentication bypass vulnerability (CWE-862: Missing Authorization) exists in the Petlibro Smart Pet Feeder Platform's social login implementation. The platform fails to properly validate OAuth tokens when processing third-party login requests through Google authentication. When a user attempts to authenticate via the social login system, the backend accepts arbitrary Google IDs without verifying them against Google's OAuth servers.
The vulnerability is particularly concerning for IoT devices as it could allow attackers to take control of pet feeding schedules, potentially endangering pets if feeding is disrupted. Additionally, attackers gain access to personal information stored in user accounts.
Root Cause
The root cause lies in the missing authorization checks within the /member/auth/thirdLogin endpoint. The platform accepts any combination of Google ID and phoneBrand parameters without validating that the provided credentials actually correspond to a legitimate OAuth authentication flow. This represents a fundamental failure in implementing proper OAuth token verification, where the server should validate received tokens with the OAuth provider before granting session access.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending crafted HTTP requests to the /member/auth/thirdLogin endpoint with arbitrary Google IDs belonging to other users. The server fails to verify these IDs against Google's OAuth infrastructure and instead grants full session tokens for the targeted accounts.
The attacker needs only to know or enumerate valid Google IDs associated with Petlibro accounts. Once a valid target ID is identified, the attacker submits it along with any phoneBrand parameter to receive a fully authenticated session token, granting complete access to the victim's account.
For technical details on the exploitation mechanism, see the Bob Da Hacker Blog Post and the VulnCheck Security Advisory.
Detection Methods for CVE-2025-15115
Indicators of Compromise
- Unusual login activity from unfamiliar IP addresses or geographic locations
- Multiple failed or successful authentication attempts to /member/auth/thirdLogin with varying Google IDs from the same source
- Session tokens issued for accounts without corresponding valid OAuth callbacks from Google
- Unexpected changes to pet feeding schedules or account settings
Detection Strategies
- Monitor API logs for abnormal patterns of requests to the /member/auth/thirdLogin endpoint
- Implement rate limiting on authentication endpoints to detect enumeration attempts
- Alert on authentication events that lack corresponding OAuth provider callback verification
- Deploy web application firewall (WAF) rules to identify and block suspicious third-party login request patterns
Monitoring Recommendations
- Enable detailed logging for all authentication-related API endpoints
- Set up alerts for multiple authentication attempts from single IP addresses targeting different user accounts
- Monitor for session token generation without proper OAuth flow completion
- Review account access logs for unauthorized configuration changes to connected pet feeding devices
How to Mitigate CVE-2025-15115
Immediate Actions Required
- Upgrade the Petlibro Smart Pet Feeder Platform to a version newer than 1.7.31 when a patch becomes available
- Review account access logs for signs of unauthorized access
- Reset passwords and revoke all existing session tokens for accounts showing suspicious activity
- Enable additional security monitoring on the authentication system
Patch Information
No official vendor patch has been confirmed at this time. Users should monitor the VulnCheck Security Advisory for updates on remediation guidance from the vendor.
Workarounds
- Consider disconnecting social login functionality if possible and using alternative authentication methods
- Implement network-level access controls to restrict access to the platform's authentication endpoints
- Deploy a reverse proxy or web application firewall to filter requests to the vulnerable /member/auth/thirdLogin endpoint
- Monitor account activity closely and immediately investigate any unauthorized changes to feeding schedules or account settings
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
