GHSA-6m2c-76ff-6vrf: Qiskit allows arbitrary code execution decoding QPY format versions < 13

Skip to content

Navigation Menu

• • GitHub Copilot

    Write better code with AI

  • Security

    Find and fix vulnerabilities

  • Actions

    Automate any workflow

  • Codespaces

    Instant dev environments

  • Issues

    Plan and track work

  • Code Review

    Manage code changes

  • Discussions

    Collaborate outside of code

  • Code Search

    Find more, search less

• Explore

  • Learning Pathways
  • Events & Webinars
  • Ebooks & Whitepapers
  • Customer Stories
  • Partners
  • Executive Insights

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• • Enterprise platform

    AI-powered developer platform

• Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-2000

Qiskit allows arbitrary code execution decoding QPY format versions < 13

Critical severity GitHub Reviewed Published Mar 14, 2025 in Qiskit/qiskit • Updated Mar 14, 2025

Affected versions

<= 1.4.1

Description

Impact

A maliciously crafted QPY file containing can potentially execute arbitrary-code embedded in the payload without privilege escalation when deserializing QPY formats < 13. A python process calling Qiskit’s qiskit.qpy.load() function could potentially execute any arbitrary Python code embedded in the correct place in the binary file as part of specially constructed payload.

Patches

Fixed in Qiskit 1.4.2 and in Qiskit 2.0.0rc2

References

• GHSA-6m2c-76ff-6vrf
• https://nvd.nist.gov/vuln/detail/CVE-2025-2000
• https://www.ibm.com/support/pages/node/7185949

Published to the GitHub Advisory Database

Mar 14, 2025

Last updated

Mar 14, 2025

EPSS score