What happened
Palo Alto Networks Unit 42 discovered a flaw in the Vertex AI SDK for Python: the SDK uses a deterministic bucket naming scheme for temporary uploads and does not verify bucket ownership before uploading. An attacker knowing only the victim's project ID (often public) can preemptively create a bucket, wait for the victim's upload, and hijack the model.
Why it matters
This allows cross-tenant model poisoning: an attacker can inject malicious code into a victim's ML model before it reaches production. When the model is deployed and makes predictions, the attacker's code runs within Google's infrastructure with access to the model serving environment, metadata server, and potentially other Google Cloud resources.
Attack vector
The Vertex AI SDK generates predictable names for temporary Cloud Storage buckets used during model uploads (e.g., project-vertex-staging-region). An attacker with their own Google Cloud project can preemptively create a bucket matching that naming scheme. When a victim's SDK attempts to upload a model, it uploads to the attacker's bucket instead. The attacker then modifies the model (e.g., swaps a pickle file with a malicious one) or uses the bucket to host a poisoned model. When Vertex AI loads the model, the attacker's code executes within the serving container.
Affected systems
Google Cloud Vertex AI Python SDK (google-cloud-aiplatform v1.139.0–1.140.0)
Mitigation
Update google-cloud-aiplatform to v1.148.0 or later; explicitly specify a bucket name and verify its ownership before upload; use service account impersonation with minimal permissions for model upload operations.