Security bulletins

2025-10-22 Update: Added link to CVE.

On September 23, 2025, we discovered a technical issue in the Vertex AI API that resulted in a limited amount of responses being misrouted between recipients for certain third-party models when using streaming requests. This issue is now resolved. Google models, e.g. Gemini, were not impacted.

Some internal proxies did not properly handle HTTP requests that have an Expect: 100-continue header, resulting in a desynchronization in a streaming response connection, where a response intended for one request was instead delivered as the response for a subsequent request.

What should I do?

We have implemented fixes to properly address the presence of the Expect: 100-continue header, and prevent recurrence of this issue. We have also added testing, monitoring, and alerting so that we can quickly detect an occurrence of this issue to prevent regression. There is no action for customers to take at this time to prevent the unintended behavior from occurring.

The fixes were rolled out for different models on separate schedules, with Anthropic models being remediated by Sep. 26, 12:45 AM PDT and all surfaces remediated by Sep. 28, 07:10 PM PDT. Affected models on Vertex AI API and the time of resolution are listed below:

• Anthropic Partner Model-as-a-Service models (Claude)

  • The issue has been fixed as of September 26, 2025, at 12:45 AM PDT.

• All Open Model-as-a-Service models, including: DeepSeek (R1-0528 and V3.1), OpenAI (gpt-oss-120b and gpt-oss-20b), Qwen (Next Instruct 80B, Next Thinking 80B, Qwen 3 Coder, and Qwen 3 235B), Llama (Maverick, Scout, 3.3, 3.2, 3.1 405b, 3.1 70b, and 3.1 8b)

  • The issue has been fixed as of September 28, 2025, at 2:43 AM PDT.

• Mistral and AI21 Partner Model-as-a-Service models

  • The issue has been fixed as of September 28, 2025, at 11:00 AM PDT.

• Self-deployed models for which the 'StreamRawPredict', 'ChatCompletions', 'GenerateContent', or 'StreamGenerateContent' method was invoked using public endpoints

  • The issue has been fixed as of September 28, 2025, at 7:10 PM PDT.

  • Neither dedicated (the default on Model Garden) nor private endpoints were impacted.

A vulnerability was discovered in the Vertex AI API serving Gemini multimodal requests, allowing bypass of VPC Service Controls. An attacker may be able to abuse the fileURI parameter of the API to exfiltrate data.

What should I do?

No actions needed. We've implemented a fix to return an error message when a media file URL is specified in the fileUri parameter and VPC Service Controls is enabled. Other use cases are unaffected.

What vulnerabilities are being addressed?

The Vertex AI API serving Gemini multimodal requests lets you include media files by specifying the URL of the media file in the fileUri parameter. This capability can be used to bypass VPC Service Controls perimeters. An attacker inside the service perimeter could encode sensitive data in the fileURI parameter to bypass the service perimeter.