--- license: mit tags: - security - pickle - opencv - modelscan - picklescan - huntr --- # OpenCV `cv2.imwrite` pickle scanner-bypass PoC This repository contains a minimal proof of concept for a pickle scanner bypass: the artifact calls `cv2.imwrite()` during normal `pickle.load()` and writes a PNG file, while `picklescan==1.0.4` and `modelscan==0.8.8` both report no issues and exit `0`. Huntr report package URL: https://huggingface.co/hacnho/opencv-imwrite-scanner-bypass-poc ## Reproduce ```bash python3 -m venv /tmp/opencv-imwrite-pickle-poc /tmp/opencv-imwrite-pickle-poc/bin/python -m pip install --upgrade pip /tmp/opencv-imwrite-pickle-poc/bin/python -m pip install -r requirements.txt /tmp/opencv-imwrite-pickle-poc/bin/python reproduce_cv2_imwrite_scanner_bypass.py ``` Expected result: ```json "load_result": true, "marker_exists": true, "marker_magic": "89504e470d0a1a0a" ``` The marker path is `/tmp/mfv_cv2_imwrite_marker.png`. ## Files - `malicious_cv2_imwrite.pkl` - scanner-clean pickle artifact. - `reproduce_cv2_imwrite_scanner_bypass.py` - deterministic builder and verifier. - `reproduce-output.json` - captured local proof. - `picklescan-output.txt` - exact scanner output. - `modelscan-output.txt` - exact scanner output. - `environment.txt` - tested runtime versions. - `report.md` - full report draft. - `local-dashboard-duplicate-gate-2026-06-24.json` - local Huntr submission denylist check. - `hacktivity-duplicate-check/` - live Huntr hacktivity duplicate-check JSON and screenshots. - `SHA256SUMS.txt` - artifact hashes. ## Scope Note This PoC demonstrates file creation/overwrite through OpenCV's image encoder. It does not claim arbitrary command execution. The consumer environment must have OpenCV importable as `cv2`.