Rollup is a widely used module bundler for JavaScript applications. Versions prior to 2.80.0, 3.30.0, and 4.59.0 (specifically including the v4.x branch) are vulnerable to an arbitrary file write vulnerability [S1].
Impact
An attacker can exploit this vulnerability to perform path traversal, allowing them to write or overwrite files outside of the intended build directory [S1]. In a CI/CD environment or a local development setup, this could lead to the corruption of source code, the injection of malicious scripts into the build pipeline, or the overwriting of sensitive configuration files.
Root Cause
The issue stems from insecure file name sanitization within Rollup's core engine [S1]. When processing module names or output paths, the engine fails to properly validate or neutralize path traversal sequences (such as ../), allowing a crafted input to escape the designated output directory.
How FixVibe could detect it
FixVibe could detect this vulnerability through its repository scanning mode. By analyzing package.json or lock files (like package-lock.json or yarn.lock), FixVibe can identify if a project is using a version of rollup that falls within the affected ranges (prior to 2.80.0, 3.30.0, or 4.59.0) [S1].
Fix
Users should upgrade to one of the patched versions of Rollup:
- 2.80.0 or higher
- 3.30.0 or higher
- 4.59.0 or higher
Ensuring that the build environment uses a secure version of the bundler prevents attackers from leveraging module names to manipulate the filesystem [S1].
