CVE-2024-29032

Advisory

A vulnerability has been identified in qiskit_ibm_runtime.RuntimeDecoder where deserializing JSON data can lead to arbitrary code execution. The RuntimeDecoder is intended to deserialize JSON strings that contain various special types encoded via RuntimeEncoder. However, an attacker can craft a malicious payload that causes the decoder to spawn a subprocess and execute arbitrary code.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/Qiskit/qiskit-ibm-runtime/commit/b78fca114133051805d00043a404b25a33835f4d
• https://github.com/advisories/GHSA-x4x5-jv3x-9c7m
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29032