GHSA-6m2c-76ff-6vrf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6m2c-76ff-6vrf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-6m2c-76ff-6vrf/GHSA-6m2c-76ff-6vrf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6m2c-76ff-6vrf
- Aliases
- Published
- 2025-03-14T19:56:14Z
- Modified
- 2025-05-02T22:02:58.997199Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Qiskit allows arbitrary code execution decoding QPY format versions < 13
- Details
-
Impact
A maliciously crafted QPY file can potentially execute arbitrary-code embedded in the payload without privilege escalation when deserializing QPY formats < 13. A python process calling Qiskit's
qiskit.qpy.load()function could potentially execute any arbitrary Python code embedded in the correct place in the binary file as part of a specially constructed payload.Patches
Fixed in Qiskit 1.4.2 and in Qiskit 2.0.0rc2
- Database specific
{ "github_reviewed": true, "severity": "CRITICAL", "cwe_ids": [ "CWE-502" ], "nvd_published_at": null, "github_reviewed_at": "2025-03-14T19:56:14Z" }- References
Affected packages
PyPI / qiskit-terra
Package
- Name
- qiskit-terra
- View open source insights on deps.dev
- Purl
- pkg:pypi/qiskit-terra
Affected versions
0.*
0.18.0
0.18.1
0.18.2
0.18.3
0.19.0
0.19.1
0.19.2
0.20.0
0.20.1
0.20.2
0.21.0rc1
0.21.0
0.21.1
0.21.2
0.22.0rc1
0.22.0
0.22.1
0.22.2
0.22.3
0.22.4
0.23.0rc1
0.23.0
0.23.1
0.23.2
0.23.3
0.24.0rc1
0.24.0
0.24.1
0.24.2
0.25.0rc1
0.25.0
0.25.1
0.25.2
0.25.2.1
0.25.3
0.45.0rc1
0.45.0
0.45.1
0.45.2
0.45.3
0.46.0
0.46.1
0.46.2
0.46.3
PyPI / qiskit
Package
- Name
- qiskit
- View open source insights on deps.dev
- Purl
- pkg:pypi/qiskit
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.4.2
Affected versions
0.*
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.3.10
0.3.11
0.3.12
0.3.13
0.3.14
0.3.15
0.3.16
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.4.10
0.4.11
0.4.12
0.4.13
0.4.14
0.4.15
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.6.0
0.6.1
0.7.0
0.7.1
0.7.2
0.7.3
0.8.0
0.8.1
0.9.0
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.11.0
0.11.1
0.11.2
0.12.0
0.12.1
0.12.2
0.13.0
0.14.0
0.14.1
0.15.0
0.16.0
0.16.1
0.16.2
0.17.0
0.18.0
0.18.1
0.18.2
0.18.3
0.19.0
0.19.1
0.19.2
0.19.3
0.19.4
0.19.5
0.19.6
0.20.0
0.20.1
0.21.0
0.22.0
0.23.0
0.23.1
0.23.2
0.23.3
0.23.4
0.23.5
0.23.6
0.24.0
0.24.1
0.25.0
0.25.1
0.25.2
0.25.3
0.25.4
0.26.0
0.26.1
0.26.2
0.27.0
0.28.0
0.29.0
0.29.1
0.30.0
0.30.1
0.31.0
0.32.0
0.32.1
0.33.0
0.33.1
0.34.0
0.34.1
0.34.2
0.35.0
0.36.0
0.36.1
0.36.2
0.37.0
0.37.1
0.37.2
0.38.0
0.39.0
0.39.1
0.39.2
0.39.3
0.39.4
0.39.5
0.40.0
0.41.0
0.41.1
0.42.0
0.42.1
0.43.0
0.43.1
0.43.2
0.43.3
0.44.0
0.44.1
0.44.2
0.44.3
0.45.0rc1
0.45.0
0.45.1
0.45.2
0.45.3
0.46.0
0.46.1
0.46.2
0.46.3
1.*
1.0.0b1
1.0.0rc1
1.0.0
1.0.1
1.0.2
1.1.0rc1
1.1.0
1.1.1
1.1.2
1.2.0rc1
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0b1
1.3.0rc1
1.3.0rc2
1.3.0
1.3.1
1.3.2
1.3.3
1.4.0
1.4.1
PyPI / qiskit
Package
- Name
- qiskit
- View open source insights on deps.dev
- Purl
- pkg:pypi/qiskit