CVE-2025-2000 in Qiskit SDK
Summary
by MITRE • 03/14/2025
A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats < 13. A python process calling Qiskit 0.18.0 through 1.4.1's `qiskit.qpy.load()` function could potentially execute any arbitrary Python code embedded in the correct place in the binary file as part of specially constructed payload.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/18/2025
This vulnerability exists within the Qiskit quantum computing framework's QPY serialization format implementation, specifically affecting versions 0.18.0 through 1.4.1. The issue stems from insufficient validation during the deserialization process of QPY files, creating a critical arbitrary code execution vector. When a Python process invokes the qiskit.qpy.load() function to process a maliciously crafted QPY file, the framework fails to properly sanitize or validate the incoming binary data before executing embedded Python code. This represents a classic deserialization vulnerability that allows attackers to construct specially crafted payloads containing malicious Python instructions that execute with the privileges of the process loading the file. The vulnerability is particularly concerning in quantum computing environments where Qiskit is often used for research and development, as these systems may contain sensitive quantum algorithms and data that could be compromised through such attacks. The flaw falls under CWE-502 which specifically addresses deserialization of untrusted data, and aligns with ATT&CK technique T1203 for legitimate program execution and T1059 for command and scripting interpreter. The impact extends beyond simple code execution to potentially compromise entire quantum computing workflows and research data integrity.
The technical implementation of this vulnerability exploits the trust model inherent in Qiskit's serialization system where QPY files are expected to contain valid quantum circuit data. During the deserialization phase, the qiskit.qpy.load() function processes the binary format without adequate safeguards against maliciously constructed payloads that can contain arbitrary Python bytecode. Attackers can construct QPY files that appear legitimate but contain embedded malicious code within the serialized quantum circuit data structures. The vulnerability does not require privilege escalation since the malicious code executes within the same process context as the legitimate Qiskit operations, making it particularly dangerous in multi-user or shared computing environments. The attack surface is significant given that QPY files are commonly used for sharing quantum circuits between different Qiskit installations, making them a natural target for supply chain attacks or malicious data injection. This vulnerability essentially transforms the QPY format from a data interchange mechanism into a potential attack vector, undermining the security assumptions of the quantum computing framework.
Organizations using Qiskit in production environments face substantial operational risks from this vulnerability, particularly those involved in quantum research, financial modeling, or cryptographic applications. The potential for remote code execution means that attackers could compromise entire quantum computing clusters or research facilities through a single malicious QPY file. This vulnerability affects not only individual developers but also institutional deployments where quantum computing resources are shared or accessed by multiple users. The impact extends to quantum algorithm development workflows where researchers might unknowingly execute malicious code while loading quantum circuits from external sources or collaborators. Security teams must consider this vulnerability in their threat modeling for quantum computing environments, as it represents a novel attack surface that combines traditional software security concerns with the specialized domain of quantum computing. The vulnerability also has implications for quantum software supply chain security, as compromised QPY files could be used to infiltrate quantum computing research networks or production systems.
Mitigation strategies should focus on immediate version upgrades to Qiskit 1.5.0 or later, which contain patches addressing the deserialization vulnerability. Organizations should implement strict file validation procedures for QPY files, particularly those received from external sources, including cryptographic checksums and digital signatures. Network segmentation and access controls should be implemented to limit exposure of quantum computing systems to untrusted data sources. Security monitoring should include detection of unusual QPY file access patterns or execution of potentially malicious code within quantum computing environments. Development teams should consider implementing additional validation layers when loading QPY files, including sandboxing or restricted execution environments. The remediation process should also include comprehensive security testing of quantum computing workflows and regular vulnerability assessments of quantum software components. Organizations should develop incident response procedures specifically tailored to quantum computing environments, ensuring that security teams understand the unique risks and mitigation strategies for quantum software vulnerabilities. These measures align with industry best practices for securing quantum computing systems and protecting against sophisticated attack vectors that target specialized software frameworks.