OpenCV cv2.imwrite pickle scanner-bypass PoC

This repository contains a minimal proof of concept for a pickle scanner bypass: the artifact calls cv2.imwrite() during normal pickle.load() and writes a PNG file, while picklescan==1.0.4 and modelscan==0.8.8 both report no issues and exit 0.

Huntr report package URL: https://huggingface.co/hacnho/opencv-imwrite-scanner-bypass-poc

Reproduce

python3 -m venv /tmp/opencv-imwrite-pickle-poc
/tmp/opencv-imwrite-pickle-poc/bin/python -m pip install --upgrade pip
/tmp/opencv-imwrite-pickle-poc/bin/python -m pip install -r requirements.txt
/tmp/opencv-imwrite-pickle-poc/bin/python reproduce_cv2_imwrite_scanner_bypass.py

Expected result:

"load_result": true,
"marker_exists": true,
"marker_magic": "89504e470d0a1a0a"

The marker path is /tmp/mfv_cv2_imwrite_marker.png.

Files

  • malicious_cv2_imwrite.pkl - scanner-clean pickle artifact.
  • reproduce_cv2_imwrite_scanner_bypass.py - deterministic builder and verifier.
  • reproduce-output.json - captured local proof.
  • picklescan-output.txt - exact scanner output.
  • modelscan-output.txt - exact scanner output.
  • environment.txt - tested runtime versions.
  • report.md - full report draft.
  • local-dashboard-duplicate-gate-2026-06-24.json - local Huntr submission denylist check.
  • hacktivity-duplicate-check/ - live Huntr hacktivity duplicate-check JSON and screenshots.
  • SHA256SUMS.txt - artifact hashes.

Scope Note

This PoC demonstrates file creation/overwrite through OpenCV's image encoder. It does not claim arbitrary command execution. The consumer environment must have OpenCV importable as cv2.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support