CVE-2025-1403

Qiskit SDK 0.45.0 through 1.2.4 could allow a remote attacker to cause a denial of service using a maliciously crafted QPY file containing a malformed symengine serialization stream which can cause a segfault within the symengine library.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://www.ibm.com/support/pages/node/7183868	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ibm:qiskit:*:*:*:*:*:*:*:*

History

18 Jun 2025, 23:34

Type	Values Removed	Values Added
CPE		cpe:2.3:a:ibm:qiskit::::::::
Summary		(es) Qiskit SDK 0.45.0 a 1.2.4 podría permitir que un atacante remoto provoque una denegación de servicio utilizando un archivo QPY manipulado con fines malintencionados que contenga un flujo de serialización de Symengine malformado que puede causar un error de segmentación dentro de la librería de Symengine.
First Time		Ibm Ibm qiskit
References	~~() https://www.ibm.com/support/pages/node/7183868 -~~	() https://www.ibm.com/support/pages/node/7183868 - Vendor Advisory

21 Feb 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-21 17:15

Updated : 2025-06-18 23:34

NVD link : CVE-2025-1403

Mitre link : CVE-2025-1403

CVE.ORG link : CVE-2025-1403

JSON object : View

Products Affected

ibm

qiskit

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2025-1403", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@us.ibm.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "published": "2025-02-21T17:15:13.437", "references": [{"url": "https://www.ibm.com/support/pages/node/7183868", "tags": ["Vendor Advisory"], "source": "psirt@us.ibm.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "psirt@us.ibm.com", "description": [{"lang": "en", "value": "CWE-502"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Qiskit SDK 0.45.0 through 1.2.4 could allow a remote attacker to cause a denial of service using a maliciously crafted QPY file containing a malformed symengine serialization stream which can cause a segfault within the symengine library."}, {"lang": "es", "value": "Qiskit SDK 0.45.0 a 1.2.4 podr\u00eda permitir que un atacante remoto provoque una denegaci\u00f3n de servicio utilizando un archivo QPY manipulado con fines malintencionados que contenga un flujo de serializaci\u00f3n de Symengine malformado que puede causar un error de segmentaci\u00f3n dentro de la librer\u00eda de Symengine."}], "lastModified": "2025-06-18T23:34:56.550", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:qiskit:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5CAEC3E9-9112-46A3-9957-DB282DF3AED1", "versionEndIncluding": "1.2.4", "versionStartIncluding": "0.45.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}