## Rollup JavaScript Bundler Vulnerability Allows Arbitrary File Write via Path Traversal
A critical path traversal vulnerability has been disclosed in Rollup, the widely-used JavaScript module bundler, affecting versions 4.x and current source code. Tracked as CVE-2026-27606 and published through GitHub's security advisory system (GHSA-mw96-cpmx-2vgc), the flaw enables attackers to manipulate output filenames through insecure sanitization in the bundler's core engine. The vulnerability specifically targets environments where CLI named inputs, manual chunk aliases, or external configuration sources can influence file naming during the build process.

Security researchers identified the root cause in Rollup's failure to properly sanitize file names submitted through bundling operations. This weakness creates a direct vector for arbitrary file write attacks, allowing malicious actors to potentially place files outside intended output directories. The issue is particularly dangerous in CI/CD pipelines, automated build systems, or development environments that process untrusted input through the bundler. An attacker controlling build parameters could exploit this to overwrite system files, inject malicious code into project dependencies, or establish persistence within affected repositories.

The vulnerability prompted an emergency update to Rollup v4.59.0, which patches the insufficient file name validation in the core bundling engine. Organizations using Rollup in production or development workflows are advised to audit their dependency trees immediately, verify current version status, and apply the security update without delay. Given Rollup's prevalence in the JavaScript ecosystem—serving as a backbone for numerous build tools, frameworks, and library publishing pipelines—the potential blast radius of this vulnerability extends across a broad segment of the developer community. Teams integrating external configurations or plugin inputs into their Rollup-based builds should treat this as a high-priority remediation item.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-27606, path traversal, arbitrary file write, JavaScript bundler, security vulnerability
- **Credibility**: unverified
- **Published**: 2026-05-10 15:32:02
- **ID**: 81587
- **URL**: https://whisperx.ai/en/intel/81587