Qiskit SDK code execution

Vulnerability

Description

CVE-2025-2000 is a deserialization vulnerability in Qiskit's QPY binary serialization format. The flaw resides in the qiskit.qpy.load() function, which deserializes QPY format versions prior to 13. A specially crafted QPY file can embed arbitrary Python code in a specific location within the binary payload. When loaded by a vulnerable version of Qiskit, this code is executed without privilege escalation [1], [2]. The root cause is the insecure deserialization of untrusted data, classified as CWE-502 [3].

Exploitation

Details

Exploitation requires an attacker to craft a malicious QPY file and deliver it to a target system. No authentication or prior access is needed; the attack can be executed remotely if a user or automated process loads the file using the affected function. The vulnerability is present in Qiskit SDK versions 0.18.0 through 1.4.1, and also affects the release candidate 2.0.0rc1 [4]. The CVSS 3.1 base score is 9.8, indicating critical severity with network attack vector, low attack complexity, and no privileges required [3].

Impact

Successful exploitation grants the attacker the ability to execute arbitrary Python code in the context of the process calling qiskit.qpy.load(). This can lead to full compromise of the affected system, including data theft, installation of malware, or further lateral movement within the network [2], [3]. Since the code runs with the same privileges as the calling process, the impact is limited only by that user's permissions.

Mitigation

The vulnerability is fixed in Qiskit version 1.4.2 and in release candidate 2.0.0rc2 [4]. Users are strongly advised to upgrade to these patched versions or later. No workarounds are available for earlier releases [3]. Organizations should prioritize patching, especially if QPY files from untrusted sources are loaded. The issue has been acknowledged by IBM researchers Matthew Treinish and Jake Lishman [3].