Google Vertex AI SDK Flaw Lets Attackers Hijack Model Uploads via Bucket Squatting
What Happened — A vulnerability in the Google Cloud Vertex AI Python SDK enables an unauthenticated attacker to hijack a victim’s machine‑learning model upload process and execute arbitrary code inside Google’s serving infrastructure. Palo Alto Networks Unit 42 dubbed the technique “Pickle in the Middle” and reported that no active exploitation has been observed in the wild.
Why It Matters for Compliance & Audit Readiness
- The flaw bypasses the “least‑privilege” principle and creates a control gap in the Change Management and System Operations criteria of SOC 2 (CC6.1, CC3.1).
- Continuous evidence of third‑party library integrity and SDK version control is essential to demonstrate due diligence during an audit.
- Verisq’s Control Mapping capability can automatically map this SDK‑related risk to the relevant SOC 2 controls and collect ongoing proof of remediation.
Who Is Affected – Cloud service providers, SaaS platforms, and enterprises that embed Google Vertex AI models in production workloads (e.g., fintech, health‑tech, media).
Recommended Actions –
- Immediately upgrade to the patched Vertex AI SDK version released by Google.
- Implement a version‑control policy for all third‑party libraries and enforce integrity‑checking (e.g., signed packages, SBOMs).
- Map the SDK usage to SOC 2 CC6.1 (Change Management) and CC3.1 (System Operations) controls, and capture continuous compliance evidence.
Source: The Hacker News
Technical Notes – The attack leverages insecure deserialization of Python pickle objects stored in a shared Cloud Storage bucket, allowing “bucket squatting” to replace the victim’s model artifact. No CVE number has been assigned yet; the issue was disclosed through Google’s bug bounty program.