CVE-2026-27606: Bundling Disaster: The Rollup Path Traversal Deep Dive

Published: 3 days ago (February 25, 2026 at 10:40 PM EST)

2 min read

Source: Dev.to

CVE Reports

Overview

Vulnerability ID: CVE-2026-27606
CVSS Score: 9.8 (Critical)
Published: 2026-02-25

Rollup, the widely‑used JavaScript module bundler, contained a critical flaw in its handling of output filenames. The implementation relied on a fragile regular‑expression blacklist instead of proper path normalization, allowing attackers to bypass sanitization. Malicious plugins or build configurations could traverse directories and write files anywhere on the host system, turning a normal npm run build into a Remote Code Execution (RCE) vector via arbitrary file overwrites.

TL;DR

Critical path‑traversal in Rollup permits arbitrary file writes. Attackers can escape the dist folder and overwrite system files (e.g., .bashrc) to gain RCE. Patched in Rollup 2.80.0, 3.30.0, and 4.59.0.

Exploit Status: Proof‑of‑Concept (POC)

Technical Details

CWE ID: CWE‑22 (Path Traversal)
Attack Vector: Network (malicious config/plugin)
Impact: Arbitrary File Write / RCE
Exploit Status: PoC Available
KEV Listed: No

Affected Systems

Node.js environments running Rollup
CI/CD pipelines that use Rollup
Frontend build chains (e.g., Vite) that depend on vulnerable Rollup versions

Affected Rollup Versions	Fixed In
`= 3.0.0, = 4.0.0, < 4.59.0`	`4.59.0`

Code Analysis

Commit c60770d (v4 branch)

Fix for CVE‑2026‑27606

+ Added validateOutputBundleFileNames and isFileNameOutsideOutputDirectory checks.

View commit

Commit c8cf1f9 (v3 branch)

Backport of path traversal validation.

+ Backport of path traversal validation.

View commit

Commit d6dee5e (v2 branch)

Backport of path traversal validation.

+ Backport of path traversal validation.

View commit

Exploit Details

A hypothetical exploit involves defining a chunk alias containing directory‑traversal characters (e.g., ../../../../etc/passwd) to overwrite sensitive files. The advisory describing this approach can be found here:

GHSA‑mw96‑cpmx‑2vgc

Mitigation Strategies

Update Rollup to a patched version (≥ 2.80.0, ≥ 3.30.0, or ≥ 4.59.0).
Audit third‑party Rollup plugins for malicious filename generation.
Run build processes in isolated, low‑privilege environments (e.g., containers).

Remediation Steps

# Identify the installed Rollup version
npm list rollup

# Update to the latest version
npm install rollup@latest

# Or install a specific patched version
npm install rollup@2.80.0   # for v2 branch
npm install rollup@3.30.0   # for v3 branch
npm install rollup@4.59.0   # for v4 branch

# Verify the update
npm list rollup

CVE-2026-27606: Bundling Disaster: The Rollup Path Traversal Deep Dive

Overview

TL;DR

Technical Details

Affected Systems

Code Analysis

Commit c60770d (v4 branch)

Commit c8cf1f9 (v3 branch)

Commit d6dee5e (v2 branch)

Exploit Details

Mitigation Strategies

Remediation Steps

References

Related posts

[DEV Weekend Challenge: Community] Kanoon Mera Kawach

DevStretch: The Antiburnout Protocol for Devs Who Forgot They Have Bodies

How We Built an AI-Powered FAQ System for Internal Teams

A Friendly Guide to IPv4 Subnetting with a Free CIDR Calculator

Overview

TL;DR

Technical Details

Affected Systems

Code Analysis

Commit c60770d (v4 branch)

Commit c8cf1f9 (v3 branch)

Commit d6dee5e (v2 branch)

Exploit Details

Mitigation Strategies

Remediation Steps

References

Related posts

[DEV Weekend Challenge: Community] Kanoon Mera Kawach

DevStretch: The Antiburnout Protocol for Devs Who Forgot They Have Bodies

How We Built an AI-Powered FAQ System for Internal Teams

A Friendly Guide to IPv4 Subnetting with a Free CIDR Calculator

Commit c60770d (v4 branch)

Commit c8cf1f9 (v3 branch)

Commit d6dee5e (v2 branch)