CRITICAL 9.8

PYSEC-2026-511

Qiskit allows arbitrary code execution decoding QPY format versions < 13

상세

### Impact

A maliciously crafted QPY file can potentially execute arbitrary-code embedded in the payload without privilege escalation when deserializing QPY formats < 13. A python process calling Qiskit's `qiskit.qpy.load()` function could potentially execute any arbitrary Python code embedded in the correct place in the binary file as part of a specially constructed payload.

### Patches

Fixed in Qiskit 1.4.2 and in Qiskit 2.0.0rc2

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / qiskit-terra

최초 영향 버전: 0.18.0

No fixed version published yet for qiskit-terra (pip). Pin to a known-safe version or switch to an alternative.

참고

https://github.com/Qiskit/qiskit/security/advisories/GHSA-6m2c-76ff-6vrf [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-2000 [ADVISORY]
https://github.com/Qiskit/qiskit [PACKAGE]
https://www.ibm.com/support/pages/node/7185949 [WEB]
https://pypi.org/project/qiskit-terra [PACKAGE]
https://github.com/advisories/GHSA-6m2c-76ff-6vrf [ADVISORY]