Google Vertex AI SDK Flaw Enabled Remote Code Execution via Bucket Squatting

Vulnerability Overview

Security researchers at Palo Alto Networks Unit 42 have disclosed a critical vulnerability in Google Cloud's Vertex AI SDK for Python that could have allowed attackers to execute arbitrary code in a victim's machine learning infrastructure without any initial access to their project.

The flaw, which affected SDK versions 1.139.0 and 1.140.0, stemmed from a predictable default bucket naming pattern combined with insufficient ownership verification. When developers uploaded models to Vertex AI without specifying a custom staging bucket, the SDK constructed bucket names using a deterministic formula based on project ID and region—for example, "my-project-vertex-staging-us-central1."

An attacker who knew a target's project ID could preemptively create this bucket in their own Google Cloud project, a technique known as bucket squatting. The SDK would then upload the victim's model artifacts directly to the attacker-controlled bucket, creating an opportunity for malicious code injection.

Why it matters

This vulnerability demonstrates how seemingly minor design choices in cloud SDKs can create systemic security risks across enterprise AI deployments. Organizations using Vertex AI for production machine learning workloads could have faced data exfiltration, lateral movement within their cloud environments, and compromise of their AI serving infrastructure—all without the attacker needing any foothold in the victim's project. The attack required only knowledge of a project ID, which is often publicly discoverable, making the barrier to exploitation remarkably low.

The Attack Mechanism

The researchers dubbed their exploit "Pickle in the Middle" because it leveraged Python's pickle serialization module to achieve remote code execution. When ML models are serialized using pickle or its wrapper joblib, deserialization can trigger arbitrary code execution through the __reduce__ method.

The attack unfolded in six phases. First, the attacker created a bucket with the predicted name in their own project and configured permissive IAM policies allowing any authenticated Google Cloud user to interact with it. They then deployed a Cloud Function that automatically triggered whenever new objects appeared in the bucket.

When the victim uploaded a model using standard SDK code without specifying a staging bucket, the artifacts landed in the attacker's bucket. The Cloud Function detected the upload within approximately 800 milliseconds and replaced the legitimate model with a malicious payload. Unit 42's testing showed the window between victim upload and Google's service agent reading the model was roughly 2.5 seconds—enough time for the automated swap to succeed.

Once the victim deployed the compromised model to an endpoint, the malicious code executed in the serving container. In Unit 42's proof of concept, this code queried the Google Compute Engine metadata server for service account credentials and exfiltrated them to an attacker-controlled endpoint.

Discovery and Remediation

Unit 42 incorporated large language models into their code analysis workflow to accelerate vulnerability discovery, identifying the flaw in the SDK's stage_local_data_in_gcs() function. The vulnerable code checked only whether a bucket existed, not whether the caller's project owned it.

Google accepted the findings and released fixes in SDK version 1.148.0 on April 15, 2025. The company's security team addressed the predictable naming pattern and added proper ownership verification to the staging logic.

Organizations using the Vertex AI Python SDK should upgrade to version 1.148.0 or later immediately. The vulnerability only affected environments where victims had not yet created their default staging bucket in a given region and did not explicitly specify a staging bucket parameter when uploading models.

These details were first reported by Palo Alto Networks Unit 42 in their security advisory.