CVE-2025-2000: 
Python vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-2000) has been identified in the Qiskit Software Development Kit (SDK) versions 0.18.0 through 1.4.1. The vulnerability was discovered and disclosed on March 14, 2025, affecting the QPY deserialization functionality in Qiskit SDK. The issue allows maliciously crafted QPY files to execute arbitrary code embedded in the payload without privilege escalation when deserializing QPY formats less than version 13 (NVD, IBM Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue specifically affects the qiskit.qpy.load() function, which can execute arbitrary Python code embedded in the correct place within a specially constructed binary file payload. The vulnerability is categorized as CWE-502: Deserialization of Untrusted Data (NVD, Security Online).

The vulnerability poses significant risks as it allows attackers to execute arbitrary code through specially crafted QPY files. Given Qiskit's widespread use in quantum computing applications for tasks involving quantum circuits and quantum operators, the impact is particularly concerning for the quantum computing community. The high CVSS score indicates potential for complete compromise of system confidentiality, integrity, and availability (Security Online).

IBM has released patches to address this vulnerability. Users are strongly advised to upgrade to either Qiskit version 1.4.2 or Qiskit 2.0.0. These updated versions include critical patches that prevent the exploitation of this vulnerability. No alternative workarounds are available (ASEC, IBM Advisory).