GHSA-3pwp-2fqj-6g2p: Duplicate Advisory: Qiskit allows arbitrary code execution decoding QPY format versions < 13

March 14, 2025

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-6m2c-76ff-6vrf. This link is maintained to preserve external references.

Original Description

A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats < 13. A python process calling Qiskit 0.18.0 through 1.4.1’s qiskit.qpy.load() function could potentially execute any arbitrary Python code embedded in the correct place in the binary file as part of specially constructed payload.

References

github.com/advisories/GHSA-3pwp-2fqj-6g2p
nvd.nist.gov/vuln/detail/CVE-2025-2000
www.ibm.com/support/pages/node/7185949

Code Behaviors & Features

Detect and mitigate GHSA-3pwp-2fqj-6g2p with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →