CVE-2026-27606
Path Traversal in Rollup Allows Arbitrary File Write, RCE
Publication date: 2026-02-25
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rollupjs | rollup | to 2.80.0 (exc) |
| rollupjs | rollup | From 3.0.0 (inc) to 3.30.0 (exc) |
| rollupjs | rollup | From 4.0.0 (inc) to 4.59.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27606 is a security vulnerability in the Rollup JavaScript module bundler that allows an attacker to perform an Arbitrary File Write via Path Traversal. The core issue is that Rollup\'s filename sanitization does not properly filter out path traversal sequences like "../", allowing attackers to control output filenames and write files outside the intended output directory.'}, {'type': 'paragraph', 'content': 'This means an attacker can craft malicious inputs (e.g., via CLI named inputs, manual chunk aliases, or plugins) that cause Rollup to overwrite arbitrary files anywhere on the host filesystem where the build process has write permissions.'}, {'type': 'paragraph', 'content': 'Such unauthorized file writes can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from improper sanitization of output filenames and unsafe path resolution logic that fails to restrict output files to the designated output directory.'}, {'type': 'paragraph', 'content': 'Patched versions (2.80.0, 3.30.0, and 4.59.0) introduce strict validation that throws errors if any output file name attempts to escape the output directory, preventing this attack.'}] [5, 7]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized overwriting of arbitrary files on the host system during the build process.
- Attackers can overwrite sensitive files such as SSH authorized keys, shell configuration files (e.g., .bashrc), or system binaries if the build process has sufficient privileges.
- It poses a significant supply chain risk, as malicious plugins or dependencies can exploit this to inject malicious code during the build phase.
- Developers building untrusted or third-party repositories are at risk of persistent Remote Code Execution (RCE) and system compromise.
Overall, exploitation can lead to full system compromise, persistent backdoors, and unauthorized control over affected systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the Rollup bundler is generating output files with filenames that contain path traversal sequences such as "../" or absolute paths that escape the designated output directory.'}, {'type': 'paragraph', 'content': 'A practical way to detect exploitation attempts is to look for build commands or plugin configurations that specify output filenames with path traversal characters.'}, {'type': 'paragraph', 'content': 'For example, an attacker might run a command like:'}, {'type': 'list_item', 'content': 'rollup --input "a/../../pwned.js=main.js" --dir dist'}, {'type': 'paragraph', 'content': 'This command causes Rollup to write files outside the intended output directory.'}, {'type': 'paragraph', 'content': 'To detect such activity on your system or network, you can:'}, {'type': 'list_item', 'content': 'Monitor build logs or CI/CD pipeline logs for suspicious input or output filenames containing "../" or absolute paths.'}, {'type': 'list_item', 'content': 'Search your filesystem for unexpected files created outside the expected output directories, especially files with suspicious names.'}, {'type': 'list_item', 'content': 'Use file integrity monitoring tools to detect unauthorized file writes in sensitive directories.'}, {'type': 'paragraph', 'content': 'Specific commands to check for suspicious files or paths might include:'}, {'type': 'list_item', 'content': "grep -r '\\.\\./' path/to/rollup/configs or build scripts"}, {'type': 'list_item', 'content': "find /path/to/output -type f -name '*pwned.js*' or other suspicious filenames"}, {'type': 'list_item', 'content': "Audit recent file changes outside expected directories using commands like 'find / -mtime -1' to find recently modified files."}] [5]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Rollup to a patched version that contains the fix for CVE-2026-27606.
- Upgrade to Rollup version 2.80.0 or later if using the 2.x branch.
- Upgrade to Rollup version 3.30.0 or later if using the 3.x branch.
- Upgrade to Rollup version 4.59.0 or later if using the 4.x branch.
These versions include validation that prevents output filenames from escaping the designated output directory by rejecting filenames containing path traversal sequences or absolute paths.
Additionally, review and sanitize any custom plugins or build scripts that generate output filenames to ensure they do not allow path traversal or absolute paths.
If upgrading immediately is not possible, consider:
- Restricting build process permissions to limit file write access only to intended directories.
- Auditing and monitoring build outputs for unexpected file writes.