Cyber Resilience

CVE-2025-3660

MediumPublic PoC

Published: 04 January 2026

Published
04 January 2026
Modified
03 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0018 8.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-3660 is a medium-severity Improper Authorization of Index Containing Sensitive Information (CWE-612) vulnerability in Petlibro Petlibro. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-3660 is a broken access control vulnerability affecting the Petlibro Smart Pet Feeder Platform in versions up to 1.7.31. The flaw stems from missing ownership verification in the /member/pet/detailV2 API endpoint, enabling unauthorized access to other users' pet data. By sending requests with arbitrary pet IDs, attackers can retrieve sensitive information such as pet details, member IDs, and avatar URLs without proper authorization checks. The vulnerability is rated with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) and is associated with CWE-612.

Any authenticated user of the platform can exploit this vulnerability remotely over the network with low complexity. Although the CVSS score indicates no privileges are required (PR:N), the issue specifically allows authenticated attackers to bypass ownership controls and access data belonging to other users. Successful exploitation results in partial confidentiality and integrity impacts, potentially exposing private pet and user information across accounts.

Advisories published by VulnCheck and researcher BobdaHacker provide further details on the vulnerability, including the affected endpoint and exploitation method. Security practitioners should review these resources at https://www.vulncheck.com/advisories/petlibro-smart-pet-feeder-platform-through-broken-access-control-via-api-endpoint and https://bobdahacker.com/blog/petlibro for recommended mitigations, such as updating to a patched version beyond 1.7.31 or implementing server-side ownership checks. The CVE was published on 2026-01-04.

EU & UK References

Vulnerability details

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains a broken access control vulnerability that allows authenticated users to access other users' pet data by exploiting missing ownership verification. Attackers can send requests to /member/pet/detailV2 with arbitrary pet IDs…

more

to retrieve sensitive information including pet details, member IDs, and avatar URLs without proper authorization checks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Broken access control in public-facing API endpoint (/member/pet/detailV2) directly enables T1190 for unauthorized data retrieval.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-3653Same product: Petlibro Petlibro
CVE-2025-3654Same product: Petlibro Petlibro
CVE-2025-3646Same product: Petlibro Petlibro
CVE-2025-15115Same product: Petlibro Petlibro
CVE-2019-25605Shared CWE-612

Affected Assets

petlibro
petlibro
≤ 1.7.31

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces ownership verification on /member/pet/detailV2 requests so authenticated users cannot retrieve other accounts' pet data.

prevent

Limits each authenticated user to only the pet objects they own, blocking the arbitrary pet-ID access that the CVE exploits.

prevent

Enforces information-flow rules that would restrict pet-detail responses to the data owner rather than allowing cross-account leakage.

References