CVE-2025-1403: 
Python vulnerability analysis and mitigation

Qiskit SDK versions 0.45.0 through 1.2.4 contains a vulnerability that allows remote attackers to cause a denial of service condition. The vulnerability (CVE-2025-1403) was disclosed on February 21, 2025, and affects the QPY file handling functionality within the software. The issue specifically involves malformed symengine serialization streams that can trigger a segmentation fault (IBM Security).

The vulnerability stems from improper handling of maliciously crafted QPY files containing malformed symengine serialization streams as part of the larger QPY serialization of a ParameterExpression object. When such files are processed, they can cause a segmentation fault within the symengine library, resulting in process termination. The vulnerability has been assigned a CVSS Base score of 8.6 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H, indicating its severity. The issue has been classified as CWE-502: Deserialization of Untrusted Data (IBM Security).

Successful exploitation of this vulnerability allows remote attackers to terminate the hosting process through a denial of service attack. The attack requires no user interaction or special privileges, making it particularly concerning for systems processing QPY files from untrusted sources (IBM Security).

The vulnerability has been addressed in Qiskit 1.3.0 when using QPY format version 13. For systems unable to upgrade, IBM recommends patching the locally installed version of symengine to prevent the segfault by applying a specific commit (eb3e292bf13b2dfdf0fa1c132944af8df2bc7d51) on top of symengine 0.13.0. Additionally, users can implement detection mechanisms to check if QPY payloads are potentially vulnerable before processing them (IBM Security).