Arbitrary Code Execution Vulnerability in Qiskit by IBM
CVE-2025-2000

9.8CRITICAL

Key Information:

Vendor
IBM
Vendor
CVE Published:
14 March 2025

What is CVE-2025-2000?

CVE-2025-2000 is a critical vulnerability in Qiskit, an open-source framework provided by IBM for quantum computing, particularly focused on facilitating programming and executing quantum circuits. This vulnerability allows a maliciously crafted QPY file to execute arbitrary code during the deserialization process without requiring any elevated privileges. As organizations increasingly adopt quantum computing technologies, the potential for exploitation underscores a significant risk, particularly if untrusted or compromised QPY files are processed. This could lead to unauthorized execution of code within the organization’s environment, jeopardizing system integrity and security.

Technical Details

The vulnerability arises specifically in versions of Qiskit ranging from 0.18.0 to 1.4.1, where the qiskit.qpy.load() function is invoked. When this function processes a specially crafted QPY payload (formatted as QPY files below version 13), it can execute arbitrary Python code contained within the file. This means that an attacker could craft a QPY file that, once loaded, executes malicious code without needing to escalate privileges, allowing the malicious actor to manipulate the system further.

Potential Impact of CVE-2025-2000

  1. Unauthorized Code Execution: The primary impact of this vulnerability is the ability for attackers to execute arbitrary code on the affected systems. This can lead to a wide range of malicious activities, including data exfiltration, system manipulation, or deploying additional malware.

  2. Data Integrity Compromise: With the capability to run arbitrary code, there's a risk that attackers could alter or corrupt critical data within the organization's systems. This could disrupt operations or lead to inaccurate or falsified information being processed, which can be particularly damaging in a quantum computing context where precision is crucial.

  3. Increased Attack Surface: By allowing the execution of malicious payloads, CVE-2025-2000 increases the attack surface of organizations using Qiskit. If exploited, it could serve as a foothold for further attacks or lateral movement within the network, thus broadening the potential reach of a cyber threat.

Affected Version(s)

Qiskit SDK 0.18.0 <= 1.4.1

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Matthew Treinish and Jake Lishman
.