CVE-2025-3660 identifies a broken access control vulnerability in the Petlibro Smart Pet Feeder Platform, specifically affecting versions up to 1.7.31. The flaw exists due to missing ownership verification on the API endpoint /member/pet/detailV2, which allows attackers to submit arbitrary pet IDs and retrieve sensitive information belonging to other users. This information includes pet details, member IDs, and avatar URLs. The vulnerability is exploitable remotely without requiring authentication or user interaction, making it accessible to any attacker with network access to the platform. The CVSS 4.0 score is 6.9 (medium severity), reflecting the network attack vector, low complexity, and no privileges or user interaction required. The impact primarily concerns confidentiality, as unauthorized access to personal pet and user data could lead to privacy breaches or facilitate further targeted attacks. No patches or known exploits are currently reported, but the vulnerability highlights a critical design flaw in access control mechanisms. The platform’s failure to enforce strict ownership checks on sensitive data endpoints exposes users to data leakage risks. This vulnerability underscores the importance of robust authorization controls in IoT and smart device ecosystems, where personal data is often involved.

For European organizations, the primary impact of CVE-2025-3660 is the unauthorized disclosure of sensitive user and pet information, which could violate GDPR and other privacy regulations, leading to legal and reputational consequences. Organizations operating pet care services, veterinary clinics, or smart home device management platforms that integrate Petlibro feeders may inadvertently expose customer data. The breach of pet and member identifiers could also facilitate social engineering or phishing attacks targeting users. Although the vulnerability does not directly affect device availability or integrity, the loss of confidentiality can undermine user trust and result in regulatory fines. Additionally, attackers could use the exposed data to map user behaviors or locations if combined with other data sources. The medium severity rating suggests a moderate but tangible risk, especially for entities with large user bases or those in countries with strict data protection enforcement. The lack of authentication requirements increases the attack surface, making it easier for malicious actors to exploit the flaw at scale.

To mitigate CVE-2025-3660, Petlibro and affected organizations should immediately implement strict ownership verification on the /member/pet/detailV2 API endpoint, ensuring that users can only access data associated with their authenticated accounts. This includes validating the pet ID against the authenticated user's permissions before returning any data. Network-level protections such as IP whitelisting or rate limiting can reduce the risk of mass data harvesting. Organizations should conduct thorough access control audits across all API endpoints to identify similar flaws. Monitoring and logging access to sensitive endpoints should be enhanced to detect anomalous request patterns indicative of exploitation attempts. Users should be advised to update to patched versions once available and to monitor their accounts for suspicious activity. Additionally, organizations should review their data retention and minimization policies to limit the amount of sensitive data exposed via APIs. Coordinated vulnerability disclosure and timely patch deployment are critical to reducing exposure.