CVE-2026-27606
Published: 25 February 2026
Description
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization…
more
in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
Mitigating Controls (NIST 800-53 r5)AI
Requires timely flaw remediation by patching Rollup to versions 2.80.0, 3.30.0, or 4.59.0, directly eliminating the path traversal vulnerability in file name sanitization.
Enforces least privilege on processes running Rollup builds, restricting write permissions to prevent overwriting critical system or configuration files via arbitrary file writes.
Validates inputs such as CLI named inputs, chunk aliases, and plugin configurations to the Rollup build process, blocking path traversal sequences like '../'.
Security SummaryAI
CVE-2026-27606 is an Arbitrary File Write vulnerability via Path Traversal (CWE-22) affecting the Rollup JavaScript module bundler. Versions prior to 2.80.0, 3.30.0, and 4.59.0, including v4.x and the current source, are vulnerable due to insecure file name sanitization in the core engine. This flaw enables attackers to control output filenames through mechanisms such as CLI named inputs, manual chunk aliases, or malicious plugins.
The vulnerability can be exploited by any unauthenticated attacker with the ability to influence a Rollup build process, such as by supplying malicious inputs or plugins to a developer or CI/CD pipeline. By injecting path traversal sequences like "../", the attacker can overwrite arbitrary files on the host filesystem wherever the build process has write permissions. This may lead to persistent Remote Code Execution (RCE) through modification of critical system or user configuration files. The CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects its high severity, network accessibility, and low attack complexity.
Mitigation is provided in Rollup versions 2.80.0, 3.30.0, and 4.59.0, which include patches addressing the file name sanitization issue, as evidenced by the corresponding GitHub commit fixes and release tags. Security practitioners should upgrade affected installations immediately and review build inputs, plugins, and configurations for potential traversal risks.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file write vulnerability in Rollup JavaScript bundler (development tool) enables attackers supplying malicious inputs/plugins to overwrite files during builds in developer/CI/CD pipelines, directly facilitating T1195.001: Compromise Software Dependencies and Development Tools.