Vertex AI SDK Bucket Squatting Enables Cross-Tenant Remote Code Execution via Pickle Deserialization
A flaw in Google's Vertex AI Python SDK allows attackers to hijack model uploads through bucket squatting and achieve remote code execution across tenant boundaries via unsafe pickle deserialization. This affects any organisation using the SDK to upload models to Google Cloud.
Affected
Unit 42 has identified a critical remote code execution vulnerability in the Vertex AI Python SDK stemming from unsafe handling of model uploads. The attack chain exploits a bucket naming race condition where an attacker can create a storage bucket with a predictable name before the legitimate user, then serve malicious serialised Python objects during the model upload process.
The technical root cause lies in the SDK's use of Python's pickle module to deserialise model artifacts without validation. When a user uploads a model, the SDK may fetch intermediate files from cloud storage. An attacker controlling a bucket with a squatted name can inject a pickle payload containing arbitrary Python code. Upon deserialisation, this payload executes with the privileges of the process running the SDK, typically the user's GCP service account credentials.
The cross-tenant aspect is particularly severe: an attacker in one GCP organisation can target users in another organisation by exploiting the predictable bucket naming scheme. This breaks the fundamental isolation assumption in multi-tenant cloud systems. Any organisation relying on Vertex AI for model management is potentially exposed, especially those using automated pipelines or CI/CD systems where the SDK runs with elevated permissions.
Defenders should immediately audit their Vertex AI SDK versions and update to patched releases. Organisations should enforce strict bucket naming policies, implement VPC-level controls to restrict unauthorised storage access, and consider running model upload operations in isolated service accounts with minimal privilege scope. Additionally, organisations should review their model artifact sources and implement content validation or signing mechanisms independent of the SDK's deserialisation logic.
This vulnerability represents a broader pattern of supply-chain risk in ML tooling: the intersection of untrusted input (cloud storage), unsafe deserialisation patterns (pickle), and credential exposure (service accounts) creates a reliable RCE primitive. The pickle module remains a persistent security liability in Python ecosystems, and organisations should systematically migrate away from pickle-based model serialisation towards safer formats like JSON or protobuf with explicit schema validation.
Sources