CVE-2025-3652: Petlibro Smart Pet Feeder Info Disclosure

CVE-2025-3652 Overview

CVE-2025-3652 is an information disclosure vulnerability affecting the Petlibro Smart Pet Feeder Platform versions up to 1.7.31. This vulnerability allows unauthorized access to private audio recordings by exploiting sequential audio IDs and insecure assignment endpoints. Attackers can send requests to the /device/deviceAudio/use endpoint with arbitrary audio IDs to assign recordings to any device, then retrieve audio URLs to access other users' private recordings.

Critical Impact
Unauthorized attackers can access private audio recordings from any Petlibro Smart Pet Feeder user, compromising user privacy and potentially exposing sensitive household audio data.

Affected Products

Petlibro Smart Pet Feeder Platform versions up to 1.7.31

Discovery Timeline

2026-01-04 - CVE-2025-3652 published to NVD
2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-3652

Vulnerability Analysis

This vulnerability is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The Petlibro Smart Pet Feeder Platform fails to properly validate whether a user has authorization to access or assign specific audio recordings. The platform uses sequential, predictable audio IDs without implementing proper ownership verification, allowing attackers to enumerate and access audio recordings belonging to other users.

The attack is network-based and requires no authentication or user interaction, making it particularly concerning for IoT device users who expect their private recordings to remain confidential.

Root Cause

The root cause of this vulnerability lies in the insecure implementation of the audio assignment endpoint (/device/deviceAudio/use). The platform does not verify that the requesting user owns or has permission to access the audio ID being requested. Combined with the use of sequential (predictable) audio IDs, this creates a classic Insecure Direct Object Reference (IDOR) condition that enables unauthorized data access.

Attack Vector

An attacker exploits this vulnerability by sending crafted HTTP requests to the /device/deviceAudio/use API endpoint. The attack flow involves:

The attacker identifies the predictable pattern of audio IDs used by the platform
The attacker sends requests with arbitrary audio IDs to the vulnerable endpoint
The platform incorrectly assigns the audio recording to the attacker's device without ownership verification
The attacker retrieves the audio URL and gains access to private recordings belonging to other users

This attack can be performed remotely over the network without any special privileges or user interaction, making it straightforward to execute at scale against the entire user base.

Detection Methods for CVE-2025-3652

Indicators of Compromise

Unusual patterns of requests to /device/deviceAudio/use endpoint with sequential or enumerated audio IDs
High volume of audio assignment requests from a single source IP or user account
Access logs showing audio retrieval for IDs not associated with the requesting user's devices
Anomalous spikes in audio URL generation or access patterns

Detection Strategies

Implement API request rate limiting and monitoring for the /device/deviceAudio/use endpoint
Deploy web application firewalls (WAF) with rules to detect enumeration attacks and IDOR attempts
Enable comprehensive logging of all audio assignment and retrieval operations with user context
Monitor for unusual patterns of sequential resource access that may indicate enumeration attacks

Monitoring Recommendations

Configure alerts for excessive API requests targeting audio-related endpoints
Implement anomaly detection for users accessing resources outside their normal ownership scope
Establish baseline metrics for audio assignment operations and alert on significant deviations
Review access logs regularly for signs of unauthorized audio ID enumeration

How to Mitigate CVE-2025-3652

Immediate Actions Required

Upgrade Petlibro Smart Pet Feeder Platform to a version newer than 1.7.31 if available
Implement network-level restrictions to limit access to the vulnerable API endpoint
Review audio access logs to identify any potential unauthorized access that may have already occurred
Consider temporarily disabling audio recording features until a patch is applied

Patch Information

Consult the vendor's official channels for patch availability. Technical details and security advisories are available from VulnCheck Security Advisory and BobdaHacker Blog Post.

Workarounds

Implement additional access control layers at the network perimeter to restrict API access to trusted sources
Deploy API gateway solutions that can enforce proper authorization checks on the vulnerable endpoint
Monitor and rate-limit requests to the /device/deviceAudio/use endpoint to slow potential enumeration attacks
Consider using a VPN or network segmentation to isolate IoT devices from untrusted networks

CVE-2025-3652 Overview

Critical Impact
Unauthorized attackers can access private audio recordings from any Petlibro Smart Pet Feeder user, compromising user privacy and potentially exposing sensitive household audio data.

Affected Products

Petlibro Smart Pet Feeder Platform versions up to 1.7.31

Discovery Timeline

2026-01-04 - CVE-2025-3652 published to NVD
2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-3652

Vulnerability Analysis

The attack is network-based and requires no authentication or user interaction, making it particularly concerning for IoT device users who expect their private recordings to remain confidential.

Root Cause

Attack Vector

An attacker exploits this vulnerability by sending crafted HTTP requests to the /device/deviceAudio/use API endpoint. The attack flow involves:

The attacker identifies the predictable pattern of audio IDs used by the platform
The attacker sends requests with arbitrary audio IDs to the vulnerable endpoint
The platform incorrectly assigns the audio recording to the attacker's device without ownership verification
The attacker retrieves the audio URL and gains access to private recordings belonging to other users

This attack can be performed remotely over the network without any special privileges or user interaction, making it straightforward to execute at scale against the entire user base.

Detection Methods for CVE-2025-3652

Indicators of Compromise

Unusual patterns of requests to /device/deviceAudio/use endpoint with sequential or enumerated audio IDs
High volume of audio assignment requests from a single source IP or user account
Access logs showing audio retrieval for IDs not associated with the requesting user's devices
Anomalous spikes in audio URL generation or access patterns

Detection Strategies

Implement API request rate limiting and monitoring for the /device/deviceAudio/use endpoint
Deploy web application firewalls (WAF) with rules to detect enumeration attacks and IDOR attempts
Enable comprehensive logging of all audio assignment and retrieval operations with user context
Monitor for unusual patterns of sequential resource access that may indicate enumeration attacks

Monitoring Recommendations

Configure alerts for excessive API requests targeting audio-related endpoints
Implement anomaly detection for users accessing resources outside their normal ownership scope
Establish baseline metrics for audio assignment operations and alert on significant deviations
Review access logs regularly for signs of unauthorized audio ID enumeration

How to Mitigate CVE-2025-3652

Immediate Actions Required

Upgrade Petlibro Smart Pet Feeder Platform to a version newer than 1.7.31 if available
Implement network-level restrictions to limit access to the vulnerable API endpoint
Review audio access logs to identify any potential unauthorized access that may have already occurred
Consider temporarily disabling audio recording features until a patch is applied

Patch Information

Consult the vendor's official channels for patch availability. Technical details and security advisories are available from VulnCheck Security Advisory and BobdaHacker Blog Post.

Workarounds

Implement additional access control layers at the network perimeter to restrict API access to trusted sources
Deploy API gateway solutions that can enforce proper authorization checks on the vulnerable endpoint
Monitor and rate-limit requests to the /device/deviceAudio/use endpoint to slow potential enumeration attacks
Consider using a VPN or network segmentation to isolate IoT devices from untrusted networks

CVE-2025-3652: Petlibro Smart Pet Feeder Info Disclosure

CVE-2025-3652 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-3652

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-3652

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-3652

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-3652: Petlibro Smart Pet Feeder Info Disclosure

CVE-2025-3652 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-3652

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-3652

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-3652

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform