Insecure deserialization via pickle.load() in predictor.py enables Command Injection/RCE if model.pkl is tampered #6300
Description
The file predictor.py deserializes a pickle file (model.pkl) using pickle.load() without any integrity or provenance validation.
If this artifact can be replaced or tampered with (e.g. in CI/CD pipelines, model artifact buckets, container builds, or downstream distributions), this results in arbitrary code execution at load time.
This behavior is triggered automatically when XgboostPredictor.load() is invoked and a .pkl model artifact is present.
The vulnerability originates from unconditional deserialization using pickle.load(open(..., "rb")) inside the load() method of XgboostPredictor.
Full technical analysis, PoC generators, and reproduction steps are documented here:
In environments where the Vertex AI SDK is used to build, test, or deploy models automatically (CI/CD systems, training pipelines, or inference containers), a poisoned model.pkl artifact could lead to compromise of build agents, model-serving containers, credentials, or downstream images, effectively becoming a software supply-chain attack vector.
Happy to provide additional context if needed. Thank you for maintaining the Vertex AI SDK.
— Joshua Provoste