Cyber Posture

CVE-2025-15115

MediumPublic PoC

Published: 04 January 2026

Published
04 January 2026
Modified
03 February 2026
KEV Added
Patch
CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0017 38.4th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authentication bypass vulnerability that allows unauthenticated attackers to access any user account by exploiting OAuth token validation flaws in the social login system. Attackers can send requests to /member/auth/thirdLogin…

more

with arbitrary Google IDs and phoneBrand parameters to obtain full session tokens and account access without proper OAuth verification.

Mitigating Controls (NIST 800-53 r5)AI

IA-13 Identity Providers and Authorization Servers good match
prevent

Requires secure management and validation of identity providers and authorization servers like Google OAuth to prevent authentication bypass via flawed token validation in social login systems.

SI-10 Information Input Validation good match
prevent

Mandates information input validation at API endpoints like /member/auth/thirdLogin to reject arbitrary Google IDs and phoneBrand parameters that exploit OAuth verification flaws.

IA-5 Authenticator Management good match
prevent

Ensures proper management of authenticators such as session tokens, requiring verification before issuance to mitigate unauthorized token generation from inadequate OAuth checks.

Security SummaryAI

CVE-2025-15115 is an authentication bypass vulnerability in the Petlibro Smart Pet Feeder Platform versions up to 1.7.31. The flaw arises from inadequate OAuth token validation in the social login system, enabling attackers to send crafted requests to the /member/auth/thirdLogin endpoint with arbitrary Google IDs and phoneBrand parameters. This bypasses proper OAuth verification, allowing retrieval of full session tokens and unauthorized access to any user account.

Unauthenticated attackers with network access can exploit this vulnerability at low complexity with no user interaction or privileges required. Exploitation yields partial confidentiality and integrity impacts, such as account takeover, without affecting availability. The issue carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) and maps to CWE-862 (Missing Authentication).

Advisories detailing the vulnerability, including mitigation guidance, are available from VulnCheck at https://www.vulncheck.com/advisories/petlibro-smart-pet-feeder-platform-through-authentication-bypass-via-api-endpoint and BobdaHacker at https://bobdahacker.com/blog/petlibro. Security practitioners should consult these for patch information and recommended remediations.

Details

CWE(s)
CWE-862

Affected Products

petlibro
petlibro
≤ 1.7.31

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

The vulnerability is an authentication bypass in a public-facing API endpoint (T1190: Exploit Public-Facing Application), enabling unauthorized access to any user account via session tokens (T1078: Valid Accounts).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References