Researchers at Palo Alto Networks Unit 42 have detailed a now-fixed vulnerability in Google Cloud’s Vertex AI SDK for Python that could have let an attacker hijack another organization’s machine-learning model upload and execute code inside its cloud environment.
The flaw, disclosed by researcher Ori Hadad, required no initial access to the victim’s project and no security misstep on their part.
The weakness centered on how the SDK handled model uploads. When a developer uploaded a model without naming a storage location, the SDK derived a predictable default bucket name from the project ID and region, then checked only whether a bucket with that name existed, not who owned it.
How Bucket Squatting Enabled the Attack
That gap opened the door to a technique called bucket squatting. Because the names of cloud storage buckets are globally unique and the default name was predictable, an attacker who knew a victim’s project ID, which is typically publicly discoverable, could create that bucket in their own account ahead of time.
When the victim later uploaded a model, the SDK quietly staged it in the attacker’s bucket.
From there the attacker had a brief window, which Unit 42 measured at roughly two and a half seconds, to swap the legitimate model for a malicious one before Google’s infrastructure read it.
The poisoning relied on a long-known property of Python’s pickle serialization, widely used to save ML models: loading a crafted file can trigger code execution. Once the victim deployed their model, the attacker’s code ran.
What the Flaw Exposed
The damage was not limited to one model. Unit 42 found that code running in the serving container exposed a broadly scoped cloud token belonging to Google’s managed infrastructure.
In their tests, the researchers were able to read other deployments’ model artifacts, enumerate database tables as well as schemas, and map internal systems.
Google resolved it via its Vulnerability Reward Program, adding a random element to bucket names and an ownership check.
The case fits in a wider trend of AI security extending into the developer toolchain, where a single unsafe default in a widely used SDK was enough to undermine isolation between cloud tenants.
Unit 42 advised teams to upgrade to the latest SDK and to specify an explicit storage location for uploads rather than trusting the default. More broadly, untrusted model files should never be loaded without caution.
