CVE-2025-3646
📋 TL;DR
This authorization bypass vulnerability in Petlibro Smart Pet Feeder Platform allows unauthorized users to add themselves as shared owners to any device by exploiting missing permission checks in the device share API. Attackers can gain unauthorized access to devices and view owner information without proper authorization. All users of Petlibro Smart Pet Feeder Platform versions up to 1.7.31 are affected.
💻 Affected Systems
- Petlibro Smart Pet Feeder Platform
📦 What is this software?
Petlibro by Petlibro
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over all connected pet feeders, potentially disrupting feeding schedules, accessing owner personal information, and compromising the entire smart home ecosystem.
Likely Case
Unauthorized users gain access to specific pet feeders they shouldn't have access to, allowing them to view owner information and potentially modify feeding schedules.
If Mitigated
With proper network segmentation and access controls, impact is limited to unauthorized viewing of device information without ability to modify critical functions.
🎯 Exploit Status
The vulnerability requires sending crafted requests to the device share API endpoint without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.32 or later
Vendor Advisory: https://bobdahacker.com/blog/petlibro
Restart Required: Yes
Instructions:
1. Check current version using the device management interface. 2. Update to version 1.7.32 or later through the official update mechanism. 3. Restart the device to apply the patch.
🔧 Temporary Workarounds
Network Isolation
allIsolate Petlibro devices on a separate VLAN or network segment to limit exposure.
API Endpoint Blocking
linuxBlock access to the device share API endpoint at the network perimeter.
iptables -A INPUT -p tcp --dport [API_PORT] -j DROP
🧯 If You Can't Patch
- Disable device sharing functionality entirely if not required
- Implement strict network access controls to limit who can communicate with the device API
🔍 How to Verify
Check if Vulnerable:
Check if your Petlibro device is running version 1.7.31 or earlier through the device management interface or mobile app.Check Version:
Check through Petlibro mobile app or device web interfaceVerify Fix Applied:
Verify the device is running version 1.7.32 or later and test that unauthorized users cannot add themselves as shared owners.📡 Detection & Monitoring
Log Indicators:
- Unauthorized API calls to device share endpoints
- Multiple failed authentication attempts followed by successful share operations
Network Indicators:
- Unusual API requests to device share endpoints from unauthorized IP addresses
- Traffic patterns showing share operations without preceding authentication
SIEM Query:
source="petlibro" AND (event="device_share" OR api_endpoint="/api/share") AND user="unknown" OR auth_status="failed"