cvedb.io
CVE-2025-2000
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2025-03-14T13:15:40.907 · Last modified 2026-06-17T09:06:03.403

Summary

A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats < 13. A python process calling Qiskit 0.18.0 through 1.4.1's `qiskit.qpy.load()` function could potentially execute any arbitrary Python code embedded in the correct place in the binary file as part of specially constructed payload.

Affected products

ibm — qiskit

Does this affect you?

Add your gear to cvedb and we'll alert you only when ibm ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.