Description
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
Published: 2026-02-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

This vulnerability arises from insufficient filename sanitization in Rollup's core engine, allowing an attacker to embed traversal sequences such as '../' when specifying output filenames through the CLI, manual chunk aliases, or malicious plugins. The flaw permits arbitrary file writes on the host filesystem wherever the build process runs, potentially overwriting critical configuration or executable files. The consequence is persistent remote code execution as the attacker can replace system binaries or scripts.

Affected Systems

The issue affects the Rollup JavaScript module bundler used in Node.js environments. Versions earlier than 2.80.0, 3.30.0, and 4.59.0 are vulnerable; those specific releases and any earlier iterations of Rollup 2.x, 3.x, and 4.x contain the flaw. The patched releases are documented in the Rollup changelog and can be retrieved from the official Rollup releases pages.

Risk and Exploitability

The CVSS score of 8.8 classifies the vulnerability as high severity. EPSS indicates a very low current exploitation probability (<1%), and it is not listed in the CISA KEV catalogue. Based on the description, it is inferred that any user who can supply input to the Rollup build process can trigger the flaw. Therefore, attackers could supply malicious filenames via the CLI, manual chunk aliases, or malicious plugins to overwrite arbitrary files, enabling remote code execution on the host system.

Generated by OpenCVE AI on April 18, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rollup to the latest patched version (v4.59.0, v3.30.0, or v2.80.0, or newer).
  • If an upgrade is not immediately possible, enforce strict validation of all output filenames, removing any path traversal sequences, and audit or disable third‑party plugins that manipulate chunk names.
  • Run Rollup builds within a restricted, least‑privilege environment, such as a dedicated CI container, to limit write permissions and prevent attackers from affecting critical system files.

Generated by OpenCVE AI on April 18, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mw96-cpmx-2vgc Rollup 4 has Arbitrary File Write via Path Traversal
History

Thu, 26 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 25 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Rollupjs
Rollupjs rollup
CPEs cpe:2.3:a:rollupjs:rollup:*:*:*:*:*:node.js:*:*
Vendors & Products Rollupjs
Rollupjs rollup
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Rollup
Rollup rollup
Vendors & Products Rollup
Rollup rollup

Wed, 25 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
Title Rollup 4 has Arbitrary File Write via Path Traversal
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Rollup Rollup
Rollupjs Rollup
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T20:10:29.816Z

Reserved: 2026-02-20T19:43:14.602Z

Link: CVE-2026-27606

cve-icon Vulnrichment

Updated: 2026-02-25T20:10:18.661Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T03:16:04.603

Modified: 2026-02-25T16:05:11.063

Link: CVE-2026-27606

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-25T02:08:06Z

Links: CVE-2026-27606 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:00:05Z

Weaknesses