CVE-2025-2000

Name of the Vulnerable Software and Affected Versions: Qiskit versions 0.18.0 through 1.4.1

Description: A maliciously crafted QPY file can potentially execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats less than 13. This issue affects python processes calling Qiskit's qiskit.qpy.load() function, allowing the execution of arbitrary Python code embedded in the binary file as part of a specially constructed payload.

Recommendations: For Qiskit versions 0.18.0 through 1.4.1, consider disabling the qiskit.qpy.load() function until a patch is available to prevent the execution of arbitrary Python code from malicious QPY files. Restrict the use of QPY files with versions less than 13 to minimize the risk of exploitation.