cvelistv5 - cve-2025-1403

cve-2025-1403

Vulnerability from cvelistv5

Published

2025-02-21 16:55

Modified

2025-08-26 19:48

Severity ?

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Summary

Qiskit SDK denial of service

References

▼	URL	Tags
	psirt@us.ibm.com	https://www.ibm.com/support/pages/node/7183868	Vendor Advisory

Impacted products

▼	Vendor	Product
	IBM	Qiskit SDK

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.6,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-1403",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-21T17:09:23.158236Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-26T19:48:05.242Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Qiskit SDK",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "1.2.4",
              "status": "affected",
              "version": "0.45.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Matthew Treinish and Jake Lishman"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Qiskit SDK 0.45.0 through 1.2.4 could allow a remote attacker to cause a denial of service using a maliciously crafted QPY file containing a malformed symengine serialization stream which can cause a segfault within the symengine library."
            }
          ],
          "value": "Qiskit SDK 0.45.0 through 1.2.4 could allow a remote attacker to cause a denial of service using a maliciously crafted QPY file containing a malformed symengine serialization stream which can cause a segfault within the symengine library."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-11T16:52:44.961Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7183868"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Qiskit SDK denial of service",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-1403",
    "datePublished": "2025-02-21T16:55:03.802Z",
    "dateReserved": "2025-02-17T19:37:50.068Z",
    "dateUpdated": "2025-08-26T19:48:05.242Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-1403\",\"sourceIdentifier\":\"psirt@us.ibm.com\",\"published\":\"2025-02-21T17:15:13.437\",\"lastModified\":\"2025-09-30T15:25:51.423\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Qiskit SDK 0.45.0 through 1.2.4 could allow a remote attacker to cause a denial of service using a maliciously crafted QPY file containing a malformed symengine serialization stream which can cause a segfault within the symengine library.\"},{\"lang\":\"es\",\"value\":\"Qiskit SDK 0.45.0 a 1.2.4 podr\u00eda permitir que un atacante remoto provoque una denegaci\u00f3n de servicio utilizando un archivo QPY manipulado con fines malintencionados que contenga un flujo de serializaci\u00f3n de Symengine malformado que puede causar un error de segmentaci\u00f3n dentro de la librer\u00eda de Symengine.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":4.0},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"psirt@us.ibm.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:qiskit:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.45.0\",\"versionEndIncluding\":\"1.2.4\",\"matchCriteriaId\":\"5CAEC3E9-9112-46A3-9957-DB282DF3AED1\"}]}]}],\"references\":[{\"url\":\"https://www.ibm.com/support/pages/node/7183868\",\"source\":\"psirt@us.ibm.com\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

ghsa-fpmr-m242-xm7x

Vulnerability from github

Published

2025-02-21 21:42

Modified

2025-02-21 21:42

Severity ?

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Summary

Malciously crafted QPY files can allows Remote Attackers to Cause Denial of Service in Qiskit

Details

Impact

A maliciously crafted QPY file containing a malformed symengine serialization stream as part of the larger QPY serialization of a ParameterExpression object can cause a segfault within the symengine library, allowing an attacker to terminate the hosting process deserializing the QPY payload.

Patches

This issue is addressed in 1.3.0 when using QPY format version 13. QPY format versions 10, 11, and 12 are all still inherently vulnerable if they are using symengine symbolic encoding and symengine <= 0.13.0 is installed in the deserializing environment (as of publishing there is no newer compatible release of symengine available). Using QPY 13 is strongly recommended for this reason.

The symengine 0.14.0 release has addressed the segfault issue, but it is backward incompatible and will not work with any Qiskit release; it also prevents loading a payload generated with any other version of symengine. Using QPY 13 is strongly recommended for this reason.

It is also strongly suggested to patch the locally installed version of symengine in the deserializing environment to prevent the specific segfault. The commit [1] can be applied on top of symengine 0.13.0 and used to build a patched python library that will not segfault in the presence of a malformed payload and instead raise a RuntimeError which will address the vulnerability.

Workarounds

As QPY is backwards compatible qiskit.qpy.load() function will always attempt to deserialize the symengine-serialized payloads in QPY format versions 10, 11, and 12. These are any payloads generated with the use_symengine argument on qiskit.qpy.dump() set to True (which is the default value starting in Qiskit 1.0.0. The only option is to disallow parsing if those QPY formats are being read and the use_symengine flag was set in the file's header. You can detect whether a payload is potentially vulnerable by using the following function built using the Python standard library:

```python import struct from collections import namedtuple

def check_qpy_payload(path: str) -> bool: """Function to check if a QPY payload is potentially vulnerable to a symengine vulnerability.

Args:
    path: The path to the QPY file

Returns:
    Whether the specified payload is potentially vulnerable. If ``True`` the conditions for
    being vulnerable exist, however the payload may not be vulnerable it can't be detected
    until trying to deserialize.
"""
with open(path, "rb") as file_obj:
    version = struct.unpack("!6sB", file_obj.read(7))[1]
    if version < 10 or version >= 13:
        return False
    file_obj.seek(0)
    header_tuple = namedtuple(
        "FILE_HEADER",
        [
            "preface",
            "qpy_version",
            "major_version",
            "minor_version",
            "patch_version",
            "num_programs",
            "symbolic_encoding",
        ],
    )
    header_pack_str = "!6sBBBBQc"
    header_read_size = struct.calcsize(header_pack_str)
    data = struct.unpack(header_pack_str, file_obj.read(header_read_size))
    header = header_tuple(*data)
    return header.symbolic_encoding == b"e"

```

Note, this function does not tell you whether the payload is malicious and will cause the segfault, just that conditions for it to be potentially malicious exist. It's not possible to know ahead of time whether symengine will segfault until the data is passed to that library.

References

[1] https://github.com/symengine/symengine/commit/eb3e292bf13b2dfdf0fa1c132944af8df2bc7d51

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "qiskit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.45.0"
            },
            {
              "fixed": "1.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "qiskit-terra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.45.0"
            },
            {
              "last_affected": "0.46.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-1403"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-21T21:42:43Z",
    "nvd_published_at": "2025-02-21T17:15:13Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA maliciously crafted QPY file containing a malformed `symengine` serialization stream as part of the larger QPY serialization of a `ParameterExpression` object can cause a segfault within the `symengine` library, allowing an attacker to terminate the hosting process deserializing the QPY payload.\n\n### Patches\n\nThis issue is addressed in 1.3.0 when using QPY format version 13. QPY format versions 10, 11, and 12 are all still inherently vulnerable if they are using symengine symbolic encoding and `symengine \u003c= 0.13.0` is installed in the deserializing environment (as of publishing there is no newer compatible release of symengine available). Using QPY 13 is strongly recommended for this reason.\n\nThe symengine 0.14.0 release has addressed the segfault issue, but it is backward incompatible and will not work with any Qiskit release; it also prevents loading a payload generated with any other version of symengine. Using QPY 13 is strongly recommended for this reason.\n\nIt is also strongly suggested to patch the locally installed version of symengine in the deserializing environment to prevent the specific segfault. The commit [1] can be applied on top of symengine 0.13.0 and used to build a patched python library that will not segfault in the presence of a malformed payload and instead raise a `RuntimeError` which will address the vulnerability.\n\n### Workarounds\n\nAs QPY is backwards compatible `qiskit.qpy.load()` function will always attempt to deserialize the `symengine`-serialized payloads in QPY format versions 10, 11, and 12. These are any payloads generated with the `use_symengine` argument on `qiskit.qpy.dump()` set to `True` (which is the default value starting in Qiskit 1.0.0. The only option is to disallow parsing if those QPY formats are being read and the `use_symengine` flag was set in the file\u0027s header. You can detect whether a payload is potentially vulnerable by using the following function built using the Python standard library:\n\n```python\nimport struct\nfrom collections import namedtuple\n\n\ndef check_qpy_payload(path: str) -\u003e bool:\n    \"\"\"Function to check if a QPY payload is potentially vulnerable to a symengine vulnerability.\n\n    Args:\n        path: The path to the QPY file\n\n    Returns:\n        Whether the specified payload is potentially vulnerable. If ``True`` the conditions for\n        being vulnerable exist, however the payload may not be vulnerable it can\u0027t be detected\n        until trying to deserialize.\n    \"\"\"\n    with open(path, \"rb\") as file_obj:\n        version = struct.unpack(\"!6sB\", file_obj.read(7))[1]\n        if version \u003c 10 or version \u003e= 13:\n            return False\n        file_obj.seek(0)\n        header_tuple = namedtuple(\n            \"FILE_HEADER\",\n            [\n                \"preface\",\n                \"qpy_version\",\n                \"major_version\",\n                \"minor_version\",\n                \"patch_version\",\n                \"num_programs\",\n                \"symbolic_encoding\",\n            ],\n        )\n        header_pack_str = \"!6sBBBBQc\"\n        header_read_size = struct.calcsize(header_pack_str)\n        data = struct.unpack(header_pack_str, file_obj.read(header_read_size))\n        header = header_tuple(*data)\n        return header.symbolic_encoding == b\"e\"\n```\n\nNote, this function does **not** tell you whether the payload is malicious and will cause the segfault, just that conditions for it to be potentially malicious exist. It\u0027s not possible to know ahead of time whether `symengine` will segfault until the data is passed to that library.\n\n### References\n\n[1] https://github.com/symengine/symengine/commit/eb3e292bf13b2dfdf0fa1c132944af8df2bc7d51",
  "id": "GHSA-fpmr-m242-xm7x",
  "modified": "2025-02-21T21:42:43Z",
  "published": "2025-02-21T21:42:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Qiskit/qiskit/security/advisories/GHSA-fpmr-m242-xm7x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1403"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symengine/symengine/commit/eb3e292bf13b2dfdf0fa1c132944af8df2bc7d51"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Qiskit/qiskit"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7183868"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malciously crafted QPY files can allows Remote Attackers to Cause Denial of Service in Qiskit"
}

Action not permitted

cve-2025-1403

Vulnerability from cvelistv5

ghsa-fpmr-m242-xm7x

Vulnerability from github

Impact

Patches

Workarounds

References

Tags