This page lists security bulletins for Vertex AI. Published: 2024-12-06
A vulnerability in the Vertex AI API for Gemini
multimodal requests could allow an attacker to bypass
VPC Service Controls.
An attacker could abuse the
What should you do?
No action is required on your part. We have implemented a fix that returns an error message when a
media file URL is specified in the fileUri parameter and VPC Service Controls
is enabled. Other use cases are not affected.
What is the impact of this vulnerability?
The Vertex AI API for Gemini lets you include media files in multimodal requests by specifying the file's URL in the
GCP-2024-063
Description
Severity
Notes
fileURI
parameter to exfiltrate data from within a service perimeter.
fileUri
parameter. An attacker inside a service perimeter could use this feature to encode sensitive data in the fileURI
parameter and bypass the VPC Service Controls perimeter.
Medium
CVE-2024-12236
Security bulletins
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-21 UTC.