FixVibe
Research notecritical

Arbitrary File Write in Rollup via Path Traversal (CVE-2026-27606)

Rollup, a popular JavaScript module bundler, is vulnerable to an arbitrary file write flaw. Insecure file name sanitization in the core engine allows attackers to perform path traversal, potentially overwriting critical system or application files during the build process. This affects versions prior to 2.80.0, 3.30.0, and 4.59.0.

CVE-2026-27606CWE-22

Rollup is a widely used module bundler for JavaScript applications. Versions prior to 2.80.0, 3.30.0, and 4.59.0 (specifically including the v4.x branch) are vulnerable to an arbitrary file write vulnerability [S1].

Impact

An attacker can exploit this vulnerability to perform path traversal, allowing them to write or overwrite files outside of the intended build directory [S1]. In a CI/CD environment or a local development setup, this could lead to the corruption of source code, the injection of malicious scripts into the build pipeline, or the overwriting of sensitive configuration files.

Root Cause

The issue stems from insecure file name sanitization within Rollup's core engine [S1]. When processing module names or output paths, the engine fails to properly validate or neutralize path traversal sequences (such as ../), allowing a crafted input to escape the designated output directory.

How FixVibe could detect it

FixVibe could detect this vulnerability through its repository scanning mode. By analyzing package.json or lock files (like package-lock.json or yarn.lock), FixVibe can identify if a project is using a version of rollup that falls within the affected ranges (prior to 2.80.0, 3.30.0, or 4.59.0) [S1].

Fix

Users should upgrade to one of the patched versions of Rollup:

  • 2.80.0 or higher
  • 3.30.0 or higher
  • 4.59.0 or higher

Ensuring that the build environment uses a secure version of the bundler prevents attackers from leveraging module names to manipulate the filesystem [S1].

Arbitrary File Write in Rollup via Path Traversal (CVE-2026-27606) β€” FixVibe research Β· FixVibe