July 23, 2018

ipynb's XSS Vulnerability on Bitbucket

One day, I found that could render Jupyter Notebook on bitbucket.
I have found the Jupyter Notebook(ipynb)’s XSS on GitLab. So, I searched for bitbucket thought that it had a similar vulnerability.

Gitlab XSS via ipynb

Let me get straight to the point, I found Jupyter Notebook’s XSS just like GitLab.


ipynb content is JSON, When markdown is specified for cell_type, HTML renders Markdown text included in source.

The ipynb for such would look something like this.

  "cells": [
      "cell_type": "markdown",
      "metadata": {},
      "source": [
        "# This is Markdown Text",
  "metadata": {
    "kernelspec": {
      "display_name": "Python 3",
      "language": "python",
      "name": "python3"

Push this ipynb file to the repositry, the script was executed just by viewing the ipynb with the Note Viewer.

alert on bitbucket

Bitbucket rewarded me with $600.
Thanks Atlassian! 😎


  • 2018-07-01 : I found this vulnerability, report to BitBucket
  • 2018-07-05 : Report triaged
  • 2018-07-11 : Got $600 bounty
  • 2018-07-20 : Fixed

© Kouhei Morita 2018