IBM Qiskit SDK QPY Deserialization Arbitrary Code Execution Vulnerability

Vulnerability

A vulnerability exists in the IBM Qiskit SDK in versions 0.18.0 through 1.4.1, allowing arbitrary code execution through the deserialization of QPY files in versions prior to 13. When a Python process uses the 'qiskit.qpy.load()' function to deserialize a QPY file, any embedded Python code in the payload can be executed, without the need for elevated privileges.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of arbitrary Python code within the context of the user running the Qiskit process.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

10.0

exploitability

4.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

10.0

exploitability

4.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

IBM Qiskit SDK QPY Deserialization Arbitrary Code Execution Vulnerability

Vulnerability

Impact

Affected Products

IBM Qiskit

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating