CVE-2026-27606 in Rollup
Summary
by MITRE • 02/25/2026
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/28/2026
The vulnerability identified as CVE-2026-27606 represents a critical path traversal flaw in the Rollup module bundler ecosystem affecting versions prior to 2.80.0, 3.30.0, and 4.59.0 across its major versions. This security weakness stems from inadequate file name sanitization within Rollup's core processing engine which permits attackers to manipulate output file paths through various legitimate input mechanisms. The flaw operates at the fundamental level of how Rollup handles file naming during the bundling process, creating a pathway for malicious actors to exploit the build system's trust in user-provided input data.
The technical execution of this vulnerability occurs when Rollup processes module inputs that contain traversal sequences such as `../` in their filenames. Attackers can leverage this weakness through multiple vectors including command line interface named inputs where malicious filenames are passed directly to the bundler, manual chunk aliasing that allows custom output naming, or by crafting malicious plugins that manipulate the build process. These methods bypass normal file system security boundaries and enable attackers to write files to arbitrary locations on the host system where the build process operates with sufficient privileges. The vulnerability is particularly dangerous because it operates within the legitimate build pipeline where the system typically grants write permissions to the build process, making it a prime target for persistent compromise.
The operational impact of CVE-2026-27606 extends beyond simple file overwrites to encompass potential persistent remote code execution capabilities. When attackers successfully exploit this vulnerability, they can overwrite critical system files, configuration files, or even replace legitimate binaries with malicious counterparts. This creates a persistent backdoor that can survive system reboots and provides attackers with continued access to compromised systems. The vulnerability's severity is amplified by the fact that many development environments and continuous integration pipelines run build processes with elevated privileges, increasing the potential attack surface. The flaw also affects the integrity of the software supply chain since compromised builds could distribute malicious code to downstream users.
This vulnerability maps directly to CWE-22 Path Traversal and aligns with ATT&CK techniques related to privilege escalation and persistence. The issue demonstrates how seemingly benign input handling can create critical security weaknesses in development tools that are widely used throughout the software development lifecycle. Organizations using Rollup in their build processes face significant risk, particularly those with automated build pipelines or those that accept untrusted input from external sources. The patch implemented in versions 2.80.0, 3.30.0, and 4.59.0 addresses the core sanitization issue by implementing proper input validation and path resolution that prevents traversal sequences from being processed as legitimate file paths. Security practitioners should prioritize updating all affected versions and consider implementing additional monitoring for suspicious file system activities in build environments to detect potential exploitation attempts.