Security bulletins

This page lists security bulletins for Vertex AI.

GCP-2024-063

Published: 2024-12-06

Description Severity Notes

A vulnerability in the Vertex AI API for Gemini multimodal requests could allow an attacker to bypass VPC Service Controls. An attacker could abuse the fileURI parameter to exfiltrate data from within a service perimeter.

What should you do?

No action is required on your part. We have implemented a fix that returns an error message when a media file URL is specified in the fileUri parameter and VPC Service Controls is enabled. Other use cases are not affected.

What is the impact of this vulnerability?

The Vertex AI API for Gemini lets you include media files in multimodal requests by specifying the file's URL in the fileUri parameter. An attacker inside a service perimeter could use this feature to encode sensitive data in the fileURI parameter and bypass the VPC Service Controls perimeter.

Medium CVE-2024-12236