Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable low-complexity crash affecting availability only; PR:L reflects that delivering an interaction-model invoke normally requires an established Matter fabric session, not fully anonymous access.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
A reachable assertion vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.0, in the interaction model command processing logic. When an InvokeCommandRequest is sent to a nonexistent endpoint and cluster (e.g., 0x34), the code incorrectly treats the endpoint as valid due to missing checks in CodegenDataModelProvider::Invoke. This causes a VerifyOrDie failure in ProcessCommandDataIB and results in a crash (SIGABRT). The issue has been acknowledged and fixed in a later revision (PR #37207).
AnalysisAI
Denial of service in the Matter SDK (connectedhomeip) before 1.4.0 lets a network attacker crash the device by sending an InvokeCommandRequest to a nonexistent endpoint/cluster (e.g. 0x34), which the interaction model treats as valid and then aborts on a VerifyOrDie assertion (SIGABRT). This is a reachable-assertion bug (CWE-617) with availability-only impact and no data compromise. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the issue was acknowledged upstream and fixed in PR #37207.
Technical ContextAI
The Matter SDK (project-chip/connectedhomeip) is the open-source reference implementation of the Matter smart-home interoperability protocol, providing the data model, interaction model, and transport stack embedded in many Matter-certified accessories and controllers. The defect lives in the codegen data model provider: CodegenDataModelProvider::Invoke (and related AcceptedCommands/GeneratedCommands paths) failed to first confirm that the target cluster actually exists on the addressed endpoint. Because some CommandHandlerInterface instances register for ALL endpoints, an invoke against a bogus endpoint/cluster path bypassed metadata validation and reached ProcessCommandDataIB, which enforces path validity with a VerifyOrDie that aborts the process. The fix adds an explicit FindServerCluster/ValidateClusterPath check (returning CHIP_ERROR_NOT_FOUND / Status::UnsupportedEndpoint / UnsupportedCluster) before command dispatch. Per CWE-617 (Reachable Assertion), attacker-controlled input drives an assertion that is meant to catch programmer errors, converting a should-never-happen condition into an availability failure.
RemediationAI
Upstream fix available (PR #37207); a released patched version is Matter SDK 1.4.0 or later per the 'before 1.4.0' NVD description, so upgrade the connectedhomeip dependency to 1.4.0+ and rebuild/reflash affected device firmware and controllers. The fix adds a cluster-existence check (FindServerCluster/ValidateClusterPath returning NOT_FOUND for unknown endpoint or cluster) before command dispatch - see https://github.com/project-chip/connectedhomeip/pull/37207 and issue https://github.com/project-chip/connectedhomeip/issues/37184. Where immediate rebuilding is not possible, reduce exposure by restricting network reachability to the Matter device (isolate it on a trusted IoT VLAN and limit which controllers can open sessions), and where the platform supports it disable VerifyOrDie-style abort-on-assert or wrap it to fail the transaction instead of the process - with the trade-off that suppressing the assert masks genuine invariant violations and should only be a stopgap until the validated build is deployed. Because impact is a process crash, ensure a watchdog/supervisor automatically restarts the Matter application to shorten downtime.
Same weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210472
GHSA-wj9x-8hv5-2p36