GHSA-fpmr-m242-xm7x
HIGHMalciously crafted QPY files can allows Remote Attackers to Cause Denial of Service in Qiskit
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
qiskit🐍qiskit-terraReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.
Description
Impact
A maliciously crafted QPY file containing a malformed symengine serialization stream as part of the larger QPY serialization of a ParameterExpression object can cause a segfault within the symengine library, allowing an attacker to terminate the hosting process deserializing the QPY payload.
Patches
This issue is addressed in 1.3.0 when using QPY format version 13. QPY format versions 10, 11, and 12 are all still inherently vulnerable if they are using symengine symbolic encoding and symengine <= 0.13.0 is installed in the deserializing environment (as of publishing there is no newer compatible release of symengine available). Using QPY 13 is strongly recommended for this reason.
The symengine 0.14.0 release has addressed the segfault issue, but it is backward incompatible and will not work with any Qiskit release; it also prevents loading a payload generated with any other version of symengine. Using QPY 13 is strongly recommended for this reason.
It is also strongly suggested to patch the locally installed version of symengine in the deserializing environment to prevent the specific segfault. The commit [1] can be applied on top of symengine 0.13.0 and used to build a patched python library that will not segfault in the presence of a malformed payload and instead raise a RuntimeError which will address the vulnerability.
Workarounds
As QPY is backwards compatible qiskit.qpy.load() function will always attempt to deserialize the symengine-serialized payloads in QPY format versions 10, 11, and 12. These are any payloads generated with the use_symengine argument on qiskit.qpy.dump() set to True (which is the default value starting in Qiskit 1.0.0. The only option is to disallow parsing if those QPY formats are being read and the use_symengine flag was set in the file's header. You can detect whether a payload is potentially vulnerable by using the following function built using the Python standard library:
import struct
from collections import namedtuple
def check_qpy_payload(path: str) -> bool:
"""Function to check if a QPY payload is potentially vulnerable to a symengine vulnerability.
Args:
path: The path to the QPY file
Returns:
Whether the specified payload is potentially vulnerable. If ``True`` the conditions for
being vulnerable exist, however the payload may not be vulnerable it can't be detected
until trying to deserialize.
"""
with open(path, "rb") as file_obj:
version = struct.unpack("!6sB", file_obj.read(7))[1]
if version < 10 or version >= 13:
return False
file_obj.seek(0)
header_tuple = namedtuple(
"FILE_HEADER",
[
"preface",
"qpy_version",
"major_version",
"minor_version",
"patch_version",
"num_programs",
"symbolic_encoding",
],
)
header_pack_str = "!6sBBBBQc"
header_read_size = struct.calcsize(header_pack_str)
data = struct.unpack(header_pack_str, file_obj.read(header_read_size))
header = header_tuple(*data)
return header.symbolic_encoding == b"e"
Note, this function does not tell you whether the payload is malicious and will cause the segfault, just that conditions for it to be potentially malicious exist. It's not possible to know ahead of time whether symengine will segfault until the data is passed to that library.
References
[1] https://github.com/symengine/symengine/commit/eb3e292bf13b2dfdf0fa1c132944af8df2bc7d51
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐍PyPI | qiskit | ≥ 0.45.0&&< 1.3.0 | 1.3.0 |
| 🐍PyPI | qiskit-terra | ≥ 0.45.0 | No fix |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for qiskit. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update qiskit to 1.3.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-fpmr-m242-xm7x is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-fpmr-m242-xm7x is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-fpmr-m242-xm7x. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-fpmr-m242-xm7x in your dependencies?
O3 detects GHSA-fpmr-m242-xm7x across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.