CVE-2025-1403

CVE-2025-1403 is a high-severity insecure deserialization vulnerability in qiskit (pip), affecting versions >= 0.45.0, < 1.3.0. It is fixed in 1.3.0.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Malciously crafted QPY files can allows Remote Attackers to Cause Denial of Service in Qiskit

Workarounds

As QPY is backwards compatible qiskit.qpy.load() function will always attempt to deserialize the symengine-serialized payloads in QPY format versions 10, 11, and 12. These are any payloads generated with the use_symengine argument on qiskit.qpy.dump() set to True (which is the default value starting in Qiskit 1.0.0. The only option is to disallow parsing if those QPY formats are being read and the use_symengine flag was set in the file's header. You can detect whether a payload is potentially vulnerable by using the following function built using the Python standard library:

import struct
from collections import namedtuple


def check_qpy_payload(path: str) -> bool:
    """Function to check if a QPY payload is potentially vulnerable to a symengine vulnerability.

    Args:
        path: The path to the QPY file

    Returns:
        Whether the specified payload is potentially vulnerable. If ``True`` the conditions for
        being vulnerable exist, however the payload may not be vulnerable it can't be detected
        until trying to deserialize.
    """
    with open(path, "rb") as file_obj:
        version = struct.unpack("!6sB", file_obj.read(7))[1]
        if version < 10 or version >= 13:
            return False
        file_obj.seek(0)
        header_tuple = namedtuple(
            "FILE_HEADER",
            [
                "preface",
                "qpy_version",
                "major_version",
                "minor_version",
                "patch_version",
                "num_programs",
                "symbolic_encoding",
            ],
        )
        header_pack_str = "!6sBBBBQc"
        header_read_size = struct.calcsize(header_pack_str)
        data = struct.unpack(header_pack_str, file_obj.read(header_read_size))
        header = header_tuple(*data)
        return header.symbolic_encoding == b"e"

Note, this function does not tell you whether the payload is malicious and will cause the segfault, just that conditions for it to be potentially malicious exist. It's not possible to know ahead of time whether symengine will segfault until the data is passed to that library.

References

[1] https://github.com/symengine/symengine/commit/eb3e292bf13b2dfdf0fa1c132944af8df2bc7d51

Impact

A maliciously crafted QPY file containing a malformed symengine serialization stream as part of the larger QPY serialization of a ParameterExpression object can cause a segfault within the symengine library, allowing an attacker to terminate the hosting process deserializing the QPY payload.

Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect. Typical impact: arbitrary code execution or logic abuse.

CVE-2025-1403 has a CVSS score of 8.6 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.3.0); upgrading removes the vulnerable code path.

Affected versions

qiskit (>= 0.45.0, < 1.3.0) qiskit-terra (>= 0.45.0, <= 0.46.3)

Security releases

qiskit → 1.3.0 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

This issue is addressed in 1.3.0 when using QPY format version 13. QPY format versions 10, 11, and 12 are all still inherently vulnerable if they are using symengine symbolic encoding and symengine <= 0.13.0 is installed in the deserializing environment (as of publishing there is no newer compatible release of symengine available). Using QPY 13 is strongly recommended for this reason.

The symengine 0.14.0 release has addressed the segfault issue, but it is backward incompatible and will not work with any Qiskit release; it also prevents loading a payload generated with any other version of symengine. Using QPY 13 is strongly recommended for this reason.

It is also strongly suggested to patch the locally installed version of symengine in the deserializing environment to prevent the specific segfault. The commit [1] can be applied on top of symengine 0.13.0 and used to build a patched python library that will not segfault in the presence of a malformed payload and instead raise a RuntimeError which will address the vulnerability.

Frequently Asked Questions

  1. What is CVE-2025-1403? CVE-2025-1403 is a high-severity insecure deserialization vulnerability in qiskit (pip), affecting versions >= 0.45.0, < 1.3.0. It is fixed in 1.3.0. Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect.
  2. How severe is CVE-2025-1403? CVE-2025-1403 has a CVSS score of 8.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by CVE-2025-1403?
    • qiskit (pip) (versions >= 0.45.0, < 1.3.0)
    • qiskit-terra (pip) (versions >= 0.45.0, <= 0.46.3)
  4. Is there a fix for CVE-2025-1403? Yes. CVE-2025-1403 is fixed in 1.3.0. Upgrade to this version or later.
  5. Is CVE-2025-1403 exploitable, and should I be worried? Whether CVE-2025-1403 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-1403 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-1403? Upgrade qiskit to 1.3.0 or later.

Other vulnerabilities in qiskit

Stop the waste.
Protect your environment with Kodem.