Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting

A flaw in the Google Cloud Vertex AI SDK for Python let an attacker with no access to a victim's project hijack the victim's machine learning model upload and run code inside Google's serving infrastructure. Palo Alto Networks Unit 42, which found and reported the bug through Google's bug bounty program, calls the technique "Pickle in the Middle" and said it saw no exploitation in the wild.

According to Unit 42 and subsequent reporting, a vulnerability in the Google Cloud Vertex AI Python SDK’s model upload flow allowed attackers to hijack machine learning model artifacts via bucket squatting using only a victim’s public project ID, enabling remote code execution inside Google’s serving infrastructure under specific conditions.[1][2][3] Google mitigated the issue in staged fixes, fully resolving it by adding randomized bucket naming and explicit bucket ownership verification in SDK v1.148.0, with no exploitation observed in the wild so far.[1][2][3] From a CyberSE.AI perspective, this represents an AI supply chain risk where default SDK behavior and storage naming patterns can be abused to swap or poison models without tenant access, so organizations should treat SDKs and storage conventions as part of their AI SBOM, pin and monitor SDK versions across notebooks/CI/pipelines, and enforce explicit, controlled staging buckets. Continuous red teaming of ML deployment pipelines and advisory on bucket naming, ownership checks, and artifact integrity validation (e.g., signing and verification of model files) are critical to prevent similar cross-tenant model hijacking paths