Skip to content

Malciously crafted QPY files can allow remote attackers to cause denial of service

High
mtreinish published GHSA-fpmr-m242-xm7x Feb 21, 2025

Package

pip qiskit (pip)

Affected versions

>=0.45.0,<1.3.0

Patched versions

1.3.0
pip qiskit-terra (pip)
>=0.45.0
Not receiving security updates

Description

Impact

A maliciously crafted QPY file containing a malformed symengine serialization stream as part of the larger QPY serialization of a ParameterExpression object can cause a segfault within the symengine library, allowing an attacker to terminate the hosting process deserializing the QPY payload.

Patches

This issue is addressed in 1.3.0 when using QPY format version 13. QPY format versions 10, 11, and 12 are all still inherently vulnerable if they are using symengine symbolic encoding and symengine <= 0.13.0 is installed in the deserializing environment (as of publishing there is no newer compatible release of symengine available). Using QPY 13 is strongly recommended for this reason.

The symengine 0.14.0 release has addressed the segfault issue, but it is backward incompatible and will not work with any Qiskit release; it also prevents loading a payload generated with any other version of symengine. Using QPY 13 is strongly recommended for this reason.

It is also strongly suggested to patch the locally installed version of symengine in the deserializing environment to prevent the specific segfault. The commit [1] can be applied on top of symengine 0.13.0 and used to build a patched python library that will not segfault in the presence of a malformed payload and instead raise a RuntimeError which will address the vulnerability.

Workarounds

As QPY is backwards compatible qiskit.qpy.load() function will always attempt to deserialize the symengine-serialized payloads in QPY format versions 10, 11, and 12. These are any payloads generated with the use_symengine argument on qiskit.qpy.dump() set to True (which is the default value starting in Qiskit 1.0.0. The only option is to disallow parsing if those QPY formats are being read and the use_symengine flag was set in the file's header. You can detect whether a payload is potentially vulnerable by using the following function built using the Python standard library:

import struct
from collections import namedtuple


def check_qpy_payload(path: str) -> bool:
    """Function to check if a QPY payload is potentially vulnerable to a symengine vulnerability.

    Args:
        path: The path to the QPY file

    Returns:
        Whether the specified payload is potentially vulnerable. If ``True`` the conditions for
        being vulnerable exist, however the payload may not be vulnerable it can't be detected
        until trying to deserialize.
    """
    with open(path, "rb") as file_obj:
        version = struct.unpack("!6sB", file_obj.read(7))[1]
        if version < 10 or version >= 13:
            return False
        file_obj.seek(0)
        header_tuple = namedtuple(
            "FILE_HEADER",
            [
                "preface",
                "qpy_version",
                "major_version",
                "minor_version",
                "patch_version",
                "num_programs",
                "symbolic_encoding",
            ],
        )
        header_pack_str = "!6sBBBBQc"
        header_read_size = struct.calcsize(header_pack_str)
        data = struct.unpack(header_pack_str, file_obj.read(header_read_size))
        header = header_tuple(*data)
        return header.symbolic_encoding == b"e"

Note, this function does not tell you whether the payload is malicious and will cause the segfault, just that conditions for it to be potentially malicious exist. It's not possible to know ahead of time whether symengine will segfault until the data is passed to that library.

References

[1] symengine/symengine@eb3e292

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE ID

CVE-2025-1403

Weaknesses

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. Learn more on MITRE.