CVE-2025-1403

High

Published: 21 February 2025

Published

21 February 2025

Modified

30 September 2025

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Score 0.0010 27.3th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Qiskit SDK 0.45.0 through 1.2.4 could allow a remote attacker to cause a denial of service using a maliciously crafted QPY file containing a malformed symengine serialization stream which can cause a segfault within the symengine library.

Security Summary

CVE-2025-1403 affects Qiskit SDK versions 0.45.0 through 1.2.4, enabling a remote attacker to trigger a denial of service via a maliciously crafted QPY file. The file includes a malformed symengine serialization stream that causes a segmentation fault in the symengine library. Published on 2025-02-21, this vulnerability is rated 8.6 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and maps to CWE-502 (Deserialization of Untrusted Data).

A remote attacker can exploit this vulnerability over the network with low attack complexity, requiring no privileges, authentication, or user interaction. By convincing a target to process the malicious QPY file, the attacker induces a crash in the affected Qiskit application, resulting in high availability impact due to the changed scope.

IBM provides details on this issue in their security advisory at https://www.ibm.com/support/pages/node/7183868.

Details

CWE(s): CWE-502

Affected Products

ibm

qiskit

0.45.0 — 1.2.4

References

https://www.ibm.com/support/pages/node/7183868
Vendor Advisory · psirt@us.ibm.com