{"id":8515,"date":"2026-06-17T11:49:05","date_gmt":"2026-06-17T11:49:05","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8515"},"modified":"2026-06-17T11:49:05","modified_gmt":"2026-06-17T11:49:05","slug":"googles-vertex-ai-sdk-could-allow-rce-through-bucket-squatting","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8515","title":{"rendered":"Google\u2019s Vertex AI SDK could allow RCE through bucket squatting"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A design flaw in the Vertex AI software development kit (SDK) for Python, Google Cloud\u2019s managed platform for building, training, and deploying AI agents, could allow hijacking and poisoning of models outside of a developer\u2019s own Google Cloud project.<\/p>\n

According to Unit 42 researchers, a combination of bad bucket naming logic and missing authentication made it possible for an attacker to hijack the victim\u2019s project by just knowing their project ID and region.<\/p>\n

\u201cSince no two buckets across all of Google Cloud can share the same name, an attacker who is able to predict a bucket name can preemptively create it in their own project,\u201d the researchers said in a blog post<\/a>. \u201cAny subsequent attempt to use a bucket with that name, even from a different project, silently falls back to the attacker\u2019s bucket.\u201c<\/p>\n

Researchers said this is a known class of vulnerability that \u201ctakes advantage of the global uniqueness\u201d of cloud storage bucket names. They called it \u201cBucket Squatting\u201d.<\/p>\n

Successful exploitation could inject a malicious model that gets loaded by the Vertex AI infrastructure, resulting in code execution across tenants. The flaw was reported to Google, which reportedly fixed the underlying issue.<\/p>\n

Google did not immediately respond to CSO\u2019s request for comments.<\/p>\n

<\/a>pickle deserialization for cross-tenant RCE<\/h2>\n

According to Unit 42, the vulnerable model workflow in Vertex AI SDK for Python versions 1.139.0 and 1.140.0 relied on a staging bucket name derived exclusively from a customer\u2019s project ID and region. When a bucket with that name already existed, the SDK only verified its existence and did not confirm ownership.<\/p>\n

This created a bucket-squatting scenario in which an attacker could pre-create a bucket matching a victim\u2019s expected staging bucket and wait for model uploads to be directed there. Once a model artifact was uploaded to the attacker-controlled bucket, the attacker could replace it with a malicious version during a narrow race-condition window before Vertex AI\u2019s service agent retrieved it.<\/p>\n

The attack could turn into an RCE as machine learning models in Python are commonly stored using pickle or Joblib serialization formats. Since pickle deserialization can execute arbitrary code through specially crafted objects, a poisoned model could run remote code when loaded by Vertec AI\u2019s serving infrastructure.<\/p>\n

This cross-tenant exploitation process was dubbed \u201cPickle in the Middle\u201d by the researchers as it depended, in parts, on the deserialization of Python\u2019s built-in pickle<\/a> module.<\/p>\n

<\/a>Google fixed the AI-hunted bug<\/h2>\n

As part of the research, Unit 42 incorporated a large language model (LLM) into its code analysis workflow to accelerate vulnerability discovery<\/a>.<\/p>\n

\u201cAnalysis that once took days can now be executed significantly faster,\u201d the researchers said. \u201cBy iteratively narrowing the model\u2019s focus and instructing it to look for specific patterns, we found paths that led to resources provisioned on the cloud, affected by user-controlled or project-derived inputs.\u201d<\/p>\n

Google reportedly modified the affected workflow so that staging buckets are now validated before use, preventing attackers from registering bucket names that could be mistaken for resources belonging to other projects.<\/p>\n

The fixes were deployed in SDK versions 1.144.0 and 1.148.0, and users must upgrade to either of the patched versions.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A design flaw in the Vertex AI software development kit (SDK) for Python, Google Cloud\u2019s managed platform for building, training, and deploying AI agents, could allow hijacking and poisoning of models outside of a developer\u2019s own Google Cloud project. According to Unit 42 researchers, a combination of bad bucket naming logic and missing authentication made […]<\/p>\n","protected":false},"author":0,"featured_media":8516,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8515","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8515"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8515"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8515\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8516"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}