CVE-2025-3660 is a broken access control vulnerability identified in the Petlibrio Smart Pet Feeder Platform, affecting versions up to 1.7.31. The flaw arises from missing ownership verification on the /member/pet/detailV2 API endpoint, which allows attackers to enumerate arbitrary pet IDs and retrieve sensitive information such as pet details, member IDs, and avatar URLs. Notably, the vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network with low complexity. The vulnerability impacts confidentiality primarily, as unauthorized users can access private pet and user data, potentially leading to privacy violations or targeted social engineering attacks. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and low impact on confidentiality and integrity but no impact on availability. Although no known exploits are reported in the wild, the vulnerability's nature and ease of exploitation make it a significant privacy concern for users of the platform. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps by affected organizations.

For European organizations using the Petlibrio Smart Pet Feeder Platform, this vulnerability could lead to unauthorized disclosure of sensitive user and pet information, violating privacy regulations such as GDPR. The exposure of member IDs and pet details could facilitate identity correlation, targeted phishing, or social engineering attacks against pet owners. While the vulnerability does not directly impact system availability or integrity, the confidentiality breach could damage user trust and lead to regulatory penalties. Organizations in sectors such as pet care services, veterinary clinics, or IoT device resellers that integrate this platform may face reputational harm and compliance risks. The remote and unauthenticated nature of the exploit increases the risk of widespread data leakage if attackers systematically enumerate pet IDs. Given the growing adoption of smart pet devices in Europe, the potential scale of impact is non-trivial, especially in countries with high pet ownership and IoT usage.

Organizations should immediately audit their Petlibrio Smart Pet Feeder Platform deployments and restrict access to the vulnerable API endpoint. Since no official patches are currently available, implement network-level controls such as IP whitelisting or VPN access to limit exposure. Monitor API logs for unusual or repeated requests to /member/pet/detailV2 with varying pet IDs, which may indicate exploitation attempts. Engage with the vendor to obtain or expedite security patches that enforce strict ownership verification and authorization checks on all sensitive endpoints. Additionally, consider implementing application-layer firewalls or API gateways that can enforce access policies and rate limiting. Educate users about the risks of sharing pet-related data and encourage strong authentication practices if applicable. Finally, prepare incident response plans to address potential data breaches stemming from this vulnerability.