OpenCV cv2.imwrite pickle scanner-bypass PoC
This repository contains a minimal proof of concept for a pickle scanner bypass:
the artifact calls cv2.imwrite() during normal pickle.load() and writes a
PNG file, while picklescan==1.0.4 and modelscan==0.8.8 both report no
issues and exit 0.
Huntr report package URL: https://huggingface.co/hacnho/opencv-imwrite-scanner-bypass-poc
Reproduce
python3 -m venv /tmp/opencv-imwrite-pickle-poc
/tmp/opencv-imwrite-pickle-poc/bin/python -m pip install --upgrade pip
/tmp/opencv-imwrite-pickle-poc/bin/python -m pip install -r requirements.txt
/tmp/opencv-imwrite-pickle-poc/bin/python reproduce_cv2_imwrite_scanner_bypass.py
Expected result:
"load_result": true,
"marker_exists": true,
"marker_magic": "89504e470d0a1a0a"
The marker path is /tmp/mfv_cv2_imwrite_marker.png.
Files
malicious_cv2_imwrite.pkl- scanner-clean pickle artifact.reproduce_cv2_imwrite_scanner_bypass.py- deterministic builder and verifier.reproduce-output.json- captured local proof.picklescan-output.txt- exact scanner output.modelscan-output.txt- exact scanner output.environment.txt- tested runtime versions.report.md- full report draft.local-dashboard-duplicate-gate-2026-06-24.json- local Huntr submission denylist check.hacktivity-duplicate-check/- live Huntr hacktivity duplicate-check JSON and screenshots.SHA256SUMS.txt- artifact hashes.
Scope Note
This PoC demonstrates file creation/overwrite through OpenCV's image encoder.
It does not claim arbitrary command execution. The consumer environment must
have OpenCV importable as cv2.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support