Google Vertex AI SDK Flaw Let Attackers Run Code in Google's Infrastructure via Bucket Squatting

What Happened

Palo Alto Networks Unit 42 disclosed a supply-chain-style vulnerability in the Google Cloud Vertex AI SDK for Python that allowed an attacker with zero access to a victim's GCP project to intercept and hijack ML model uploads — and execute arbitrary code inside Google's own model-serving infrastructure.

The attack class is bucket squatting: the SDK, when uploading a custom model artifact, referenced a predictable or unregistered Cloud Storage bucket name. An attacker who pre-created a bucket matching that naming pattern could intercept the upload, substitute a malicious model artifact, and have Google's serving pipeline load and run it. The victim's pipeline would proceed normally — the compromise would be silent and inside Google's perimeter, not the customer's.

Unit 42 found and reported the bug through Google's vulnerability reward program. Google has patched the SDK and the server-side infrastructure.

Why It Matters

This vulnerability is nastier than a typical SDK bug for three reasons.

First, exploitation required no foothold. An attacker didn't need credentials, doesn't need to be in your org, and doesn't need to exploit your infrastructure. Registering a GCS bucket is cheap and public.

Second, the execution context was Google's serving layer — not a VM you control and can audit. Code running there has access to the model-serving environment, and the blast radius of what an attacker could exfiltrate or pivot to depends on what that environment can reach.

Third, the trigger is a routine workflow — uploading a model artifact. Teams doing this as part of CI/CD pipelines would have been exposed on every deployment without any visible indication of compromise.

Anyone who used the Vertex AI Python SDK to upload custom model artifacts before the patch was shipped was in scope. If your MLOps pipelines run on Vertex and you upload custom artifacts, you need to treat any models uploaded during the vulnerable window as potentially tampered.

What to Do

1. Update the SDK immediately. Run pip install --upgrade google-cloud-aiplatform and pin to the patched version in all environments — dev, staging, and production. Rebuild any Docker images or virtual environments that bake in the SDK.

1. Audit recent model uploads. Review any custom model artifacts uploaded to Vertex AI in recent weeks. Compare artifact checksums against your source-of-truth (your training runs, your artifact registry). If you can't verify provenance, retrain and re-upload from a clean pipeline.

1. Check GCS bucket naming in your pipelines. If you have any code that creates or references GCS buckets programmatically based on project IDs, model names, or other guessable patterns, audit whether those buckets are pre-claimed and owned by your organization before they're used.

1. Review serving endpoint activity. If you have logs from Vertex AI endpoints backed by recently uploaded custom models, look for anomalous inference patterns, unusual output sizes, or unexpected latency spikes that could indicate a malicious model was served.

Google has addressed the underlying issue server-side, but client-side SDK updates are still required. Don't wait on this — the attack surface was open to anyone on the internet.