Pickle in the Middle – Hijacking Vertex AI Model Uploads for Cross-Tenant RCE
ID: ef1ec797-9c37-5aea-8f40-4b802d684f4c
STIX ID: report--ef1ec797-9c37-5aea-8f40-4b802d684f4c
Feed Name: Palo Alto Networks Unit 42
Palo Alto Networks Unit 42 discovered and responsibly disclosed a high-impact vulnerability in the Google Cloud Vertex AI Python SDK that allowed an attacker to pre-create (squat) a predictable default staging GCS bucket, race to replace victim model artifacts with a malicious joblib/pickle payload, and achieve remote code execution and tenant service-account token exfiltration; Google released fixes (first in v1.144.0 and fully in v1.148.0) and users are advised to upgrade and/or set explicit staging buckets.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
