CVE-2025-3660 Overview
CVE-2025-3660 is a broken access control vulnerability in the Petlibro Smart Pet Feeder Platform through version 1.7.31. The flaw resides in the /member/pet/detailV2 API endpoint, which fails to verify whether the authenticated requester owns the pet record being queried. Any authenticated user can supply an arbitrary pet identifier and retrieve another user's pet details, member IDs, and avatar URLs. The issue is classified under [CWE-612: Improper Authorization of Index Containing Sensitive Information].
Critical Impact
Authenticated attackers can enumerate pet IDs against the Petlibro API to harvest personal data and member identifiers belonging to other account holders without triggering authorization checks.
Affected Products
- Petlibro Smart Pet Feeder Platform versions up to and including 1.7.31
- API endpoint /member/pet/detailV2
- Petlibro mobile and cloud-connected feeder ecosystem relying on the affected backend
Discovery Timeline
- 2026-01-04 - CVE-2025-3660 published to the National Vulnerability Database
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2025-3660
Vulnerability Analysis
The Petlibro platform exposes the /member/pet/detailV2 REST endpoint to authenticated mobile clients. The endpoint accepts a pet identifier supplied by the client and returns the corresponding pet record. The server validates session authentication but omits an ownership check that ties the requested pet record to the calling member account.
Because pet identifiers appear to be predictable numeric values, an attacker holding any valid Petlibro account can iterate identifiers to enumerate records across the entire customer base. Returned data includes pet metadata, owner member IDs, and avatar URLs that point to user-uploaded content.
The vulnerability is an Insecure Direct Object Reference. It does not require privilege escalation, social engineering, or weakening of transport security. The attack runs over the same network channel and account state used by the legitimate mobile app.
Root Cause
The root cause is missing server-side authorization between the authenticated session principal and the pet resource being requested. The API trusts client-supplied identifiers without cross-referencing the owning member ID stored in the database. This pattern is a textbook [CWE-612] failure where an index value alone determines record access.
Attack Vector
Exploitation requires a valid Petlibro account and network access to the platform API. An attacker authenticates normally through the mobile app or by replicating its login flow, captures a session token, and issues repeated POST requests to /member/pet/detailV2 while varying the pet identifier field. The server responds with full record details for any identifier that exists, regardless of who created the record. Refer to the VulnCheck Security Advisory and the Bob Da Hacker write-up for additional technical context.
No verified proof-of-concept code is published. The advisory references describe the request shape and parameter behavior without releasing exploit tooling.
Detection Methods for CVE-2025-3660
Indicators of Compromise
- High-volume sequential or randomized requests from a single authenticated session to /member/pet/detailV2
- Single member account retrieving pet records whose returned memberId differs from the caller's account
- Outbound API traffic from non-mobile user agents targeting Petlibro endpoints
- Bulk downloads of avatar URLs referenced in successful /member/pet/detailV2 responses
Detection Strategies
- Instrument the API gateway to log the calling member ID alongside the returned memberId for every /member/pet/detailV2 response, then alert on mismatches
- Apply rate-limit anomaly rules that flag accounts issuing more pet detail requests than the expected fleet size per user
- Hunt historical access logs for accounts that queried pet identifiers in monotonic or wide-ranging sequences
Monitoring Recommendations
- Forward API access logs to a centralized analytics platform and retain them long enough to support retrospective hunts
- Baseline normal per-account request volume against the /member/pet/ namespace and alert on deviations
- Monitor authentication telemetry for newly created accounts that immediately begin enumerating object identifiers
How to Mitigate CVE-2025-3660
Immediate Actions Required
- Upgrade the Petlibro Smart Pet Feeder Platform to a release later than 1.7.31 once the vendor publishes a fixed version
- Enforce server-side ownership checks on /member/pet/detailV2 and any sibling endpoints that accept pet identifiers
- Rotate API session tokens for accounts that exhibited the enumeration patterns described above
Patch Information
No vendor advisory or patched build is listed in the NVD entry at the time of publication. Operators should track the VulnCheck advisory and Petlibro vendor communications for a fixed release announcement. Until a patch is available, compensating controls at the API gateway are the primary remediation path.
Workarounds
- Deploy a reverse-proxy or API gateway rule that validates the caller's member ID against the requested pet record before forwarding the request
- Apply per-account rate limits on /member/pet/detailV2 to reduce the feasibility of large-scale enumeration
- Replace predictable numeric pet identifiers with unguessable opaque values to raise the cost of identifier brute forcing
# Example NGINX rate-limit guard for the vulnerable endpoint
limit_req_zone $http_authorization zone=petdetail:10m rate=10r/m;
location = /member/pet/detailV2 {
limit_req zone=petdetail burst=5 nodelay;
proxy_pass http://petlibro_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
