CVE-2026-27606
Received Received - Intake
Path Traversal in Rollup Allows Arbitrary File Write, RCE

Publication date: 2026-02-25

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27606
EUVD
EUVD-2026-8589
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
rollupjs rollup to 2.80.0 (exc)
rollupjs rollup From 3.0.0 (inc) to 3.30.0 (exc)
rollupjs rollup From 4.0.0 (inc) to 4.59.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27606 is a security vulnerability in the Rollup JavaScript module bundler that allows an attacker to perform an Arbitrary File Write via Path Traversal. The core issue is that Rollup\'s filename sanitization does not properly filter out path traversal sequences like "../", allowing attackers to control output filenames and write files outside the intended output directory.'}, {'type': 'paragraph', 'content': 'This means an attacker can craft malicious inputs (e.g., via CLI named inputs, manual chunk aliases, or plugins) that cause Rollup to overwrite arbitrary files anywhere on the host filesystem where the build process has write permissions.'}, {'type': 'paragraph', 'content': 'Such unauthorized file writes can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from improper sanitization of output filenames and unsafe path resolution logic that fails to restrict output files to the designated output directory.'}, {'type': 'paragraph', 'content': 'Patched versions (2.80.0, 3.30.0, and 4.59.0) introduce strict validation that throws errors if any output file name attempts to escape the output directory, preventing this attack.'}] [5, 7]

Impact Analysis

This vulnerability can have severe impacts including unauthorized overwriting of arbitrary files on the host system during the build process.

  • Attackers can overwrite sensitive files such as SSH authorized keys, shell configuration files (e.g., .bashrc), or system binaries if the build process has sufficient privileges.
  • It poses a significant supply chain risk, as malicious plugins or dependencies can exploit this to inject malicious code during the build phase.
  • Developers building untrusted or third-party repositories are at risk of persistent Remote Code Execution (RCE) and system compromise.

Overall, exploitation can lead to full system compromise, persistent backdoors, and unauthorized control over affected systems.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the Rollup bundler is generating output files with filenames that contain path traversal sequences such as "../" or absolute paths that escape the designated output directory.'}, {'type': 'paragraph', 'content': 'A practical way to detect exploitation attempts is to look for build commands or plugin configurations that specify output filenames with path traversal characters.'}, {'type': 'paragraph', 'content': 'For example, an attacker might run a command like:'}, {'type': 'list_item', 'content': 'rollup --input "a/../../pwned.js=main.js" --dir dist'}, {'type': 'paragraph', 'content': 'This command causes Rollup to write files outside the intended output directory.'}, {'type': 'paragraph', 'content': 'To detect such activity on your system or network, you can:'}, {'type': 'list_item', 'content': 'Monitor build logs or CI/CD pipeline logs for suspicious input or output filenames containing "../" or absolute paths.'}, {'type': 'list_item', 'content': 'Search your filesystem for unexpected files created outside the expected output directories, especially files with suspicious names.'}, {'type': 'list_item', 'content': 'Use file integrity monitoring tools to detect unauthorized file writes in sensitive directories.'}, {'type': 'paragraph', 'content': 'Specific commands to check for suspicious files or paths might include:'}, {'type': 'list_item', 'content': "grep -r '\\.\\./' path/to/rollup/configs or build scripts"}, {'type': 'list_item', 'content': "find /path/to/output -type f -name '*pwned.js*' or other suspicious filenames"}, {'type': 'list_item', 'content': "Audit recent file changes outside expected directories using commands like 'find / -mtime -1' to find recently modified files."}] [5]

Mitigation Strategies

The immediate mitigation step is to upgrade Rollup to a patched version that contains the fix for CVE-2026-27606.

  • Upgrade to Rollup version 2.80.0 or later if using the 2.x branch.
  • Upgrade to Rollup version 3.30.0 or later if using the 3.x branch.
  • Upgrade to Rollup version 4.59.0 or later if using the 4.x branch.

These versions include validation that prevents output filenames from escaping the designated output directory by rejecting filenames containing path traversal sequences or absolute paths.

Additionally, review and sanitize any custom plugins or build scripts that generate output filenames to ensure they do not allow path traversal or absolute paths.

If upgrading immediately is not possible, consider:

  • Restricting build process permissions to limit file write access only to intended directories.
  • Auditing and monitoring build outputs for unexpected file writes.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27606. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart