CVE-2025-2000 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2025-2000

CVE-2025-2000

March 14, 2025

A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats < 13. A python process calling Qiskit 0.18.0 through 1.4.1's "qiskit.qpy.load()" function could potentially execute any arbitrary Python code embedded in the correct place in the binary file as part of specially constructed payload.

Affected Packages

qiskit (CONDA):

Affected version(s) >=0.44.1 <1.4.2

Fix Suggestion:

Update to version 1.4.2

https://github.com/Qiskit/qiskit.git (GITHUB):

Affected version(s) >=0.1 <1.4.2

Fix Suggestion:

Update to version 1.4.2

qiskit (PYTHON):

Affected version(s) >=0.3.2 <1.4.2

Fix Suggestion:

Update to version 1.4.2

qiskit (PYTHON):

Affected version(s) >=0.3.2 <1.4.2

Fix Suggestion:

Update to version 1.4.2

qiskit (PYTHON):

Affected version(s) =2.0.0rc1 <2.0.0rc2

Fix Suggestion:

Update to version 2.0.0rc2

Related Resources (4)

https://github.com/Qiskit/qiskit

https://nvd.nist.gov/vuln/detail/CVE-2025-2000

https://github.com/Qiskit/qiskit/security/advisories/GHSA-6m2c-76ff-6vrf

https://www.ibm.com/support/pages/node/7185949

Do you need more information?

CVSS v4

Base Score:

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

EPSS

Base Score:

0.37

Products

Solutions

Resources

Company

Compare

Developer Tools