First published: Fri Mar 14 2025(Updated: )
### Impact A maliciously crafted QPY file containing can potentially execute arbitrary-code embedded in the payload without privilege escalation when deserializing QPY formats < 13. A python process calling Qiskit's `qiskit.qpy.load()` function could potentially execute any arbitrary Python code embedded in the correct place in the binary file as part of a specially constructed payload. ### Patches Fixed in Qiskit 1.4.2 and in Qiskit 2.0.0rc2
Affected Software | Affected Version | How to fix |
---|---|---|
pip/qiskit | =2.0.0rc1 | 2.0.0rc2 |
pip/qiskit | <=1.4.1 | 1.4.2 |
pip/qiskit-terra | >=0.18.0<=0.46.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
GHSA-6m2c-76ff-6vrf is classified as a high severity vulnerability due to the potential for arbitrary code execution.
To fix GHSA-6m2c-76ff-6vrf, upgrade to qiskit version 1.4.2 or later, or qiskit-terra version outside the vulnerable range.
GHSA-6m2c-76ff-6vrf affects qiskit versions up to and including 1.4.1 and qiskit-terra versions between 0.18.0 and 0.46.3.
GHSA-6m2c-76ff-6vrf allows for arbitrary code execution through the deserialization of maliciously crafted QPY files.
If using an affected version, your application may be vulnerable to executing malicious code, which could compromise its security.