DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27606: Bundling Disaster: The Rollup Path Traversal Deep Dive

#security #cve #cybersecurity

Bundling Disaster: The Rollup Path Traversal Deep Dive

Vulnerability ID: CVE-2026-27606
CVSS Score: 9.8
Published: 2026-02-25

Rollup, the omnipresent JavaScript module bundler used by virtually every modern frontend framework, contained a critical flaw in how it handled output filenames. Due to a reliance on a fragile regular expression blacklist rather than proper path normalization, attackers could bypass sanitization mechanisms. This vulnerability allowed malicious plugins or build configurations to traverse directories and write files anywhere on the host system, effectively turning a standard npm run build command into a Remote Code Execution (RCE) vector via arbitrary file overwrites.

TL;DR

Critical path traversal in Rollup allows arbitrary file writes. Attackers can escape the 'dist' folder and overwrite system files (like .bashrc) to gain RCE. Patched in versions 2.80.0, 3.30.0, and 4.59.0.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Network (via malicious config/plugin)
  • CVSS: 9.8 (Critical)
  • Impact: Arbitrary File Write / RCE
  • Exploit Status: PoC Available
  • KEV Listed: No

Affected Systems

  • Node.js environments running Rollup
  • CI/CD pipelines using Rollup
  • Frontend build chains (Vite, etc. if dependent on vulnerable Rollup versions)
  • Rollup: < 2.80.0 (Fixed in: 2.80.0)
  • Rollup: >= 3.0.0, < 3.30.0 (Fixed in: 3.30.0)
  • Rollup: >= 4.0.0, < 4.59.0 (Fixed in: 4.59.0)

Code Analysis

Commit: c60770d

Fix for CVE-2026-27606 (v4 branch)

Added validateOutputBundleFileNames and isFileNameOutsideOutputDirectory checks.
Enter fullscreen mode Exit fullscreen mode

Commit: c8cf1f9

Fix for CVE-2026-27606 (v3 branch)

Backport of path traversal validation.
Enter fullscreen mode Exit fullscreen mode

Commit: d6dee5e

Fix for CVE-2026-27606 (v2 branch)

Backport of path traversal validation.
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Hypothetical: Exploitation involves defining a chunk alias with directory traversal characters to overwrite sensitive files.

Mitigation Strategies

  • Update Rollup to patched versions (2.80.0, 3.30.0, 4.59.0).
  • Audit third-party Rollup plugins for malicious filename generation.
  • Run build processes in isolated, low-privilege environments (containers).

Remediation Steps:

  1. Identify the Rollup version: npm list rollup
  2. Update package: npm install rollup@latest or specifically target the patched version.
  3. Verify the update: Ensure the installed version matches 2.80.0+, 3.30.0+, or 4.59.0+.

References

Read the full report for CVE-2026-27606 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)