CVE-2026-27606 Overview
CVE-2026-27606 is a Path Traversal vulnerability in Rollup, a popular module bundler for JavaScript. The vulnerability exists in versions prior to 2.80.0, 3.30.0, and 4.59.0 due to insecure file name sanitization in the core bundling engine. An attacker who can control output filenames through CLI named inputs, manual chunk aliases, or malicious plugins can use traversal sequences (../) to write files to arbitrary locations on the host filesystem where the build process has write permissions.
Critical Impact
Successful exploitation can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files, compromising the integrity of development and CI/CD environments.
Affected Products
- Rollup versions prior to 2.80.0
- Rollup versions 3.x prior to 3.30.0
- Rollup versions 4.x prior to 4.59.0
Discovery Timeline
- February 25, 2026 - CVE-2026-27606 published to NVD
- February 25, 2026 - Last updated in NVD database
Technical Details for CVE-2026-27606
Vulnerability Analysis
The vulnerability stems from insufficient validation of output file paths during the bundling process. Rollup's core engine failed to properly sanitize filenames before writing bundled output, allowing path traversal sequences to escape the designated output directory. When an attacker can influence the output filename—whether through CLI named inputs, manual chunk configuration, or by injecting a malicious plugin into the build chain—they can craft filenames containing ../ sequences that traverse outside the intended output directory.
This weakness is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The network-based attack vector combined with the lack of required privileges makes this vulnerability particularly dangerous in CI/CD pipelines and automated build systems where Rollup processes potentially untrusted input configurations.
Root Cause
The root cause lies in the path handling functions within browser/src/path.ts and src/Bundle.ts. The original implementation lacked proper path normalization and boundary validation to ensure output files remain within the configured output directory. The bundler would accept filenames containing parent directory references without stripping or rejecting them, ultimately allowing writes to locations outside the output directory bounds.
Attack Vector
An attacker can exploit this vulnerability through several vectors:
- CLI Named Inputs: Providing malicious input names via the command line that include traversal sequences
- Manual Chunk Aliases: Configuring chunk aliases in rollup.config.js with path traversal payloads
- Malicious Plugins: Crafting or injecting plugins that return filenames with ../ sequences during the bundle generation phase
The attack ultimately results in arbitrary file writes to any location the Node.js process has permissions for, enabling scenarios such as overwriting .bashrc, .profile, SSH authorized keys, or CI/CD configuration files for persistent compromise.
// Security patch - Path normalization to prevent directory traversal
// Source: https://github.com/rollup/rollup/commit/c60770d7aaf750e512c1b2774989ea4596e660b2
export function join(...segments: string[]): string {
const joined = segments.join('/');
const absolute = ANY_SLASH_REGEX.test(joined[0]);
return (
(absolute ? '/' : '') +
(normalizePathSegments(joined.split(ANY_SLASH_REGEX), absolute) || (absolute ? '' : '.'))
);
}
function normalizePathSegments(parts: string[], absolute = false): string {
const normalized: string[] = [];
for (const part of parts) {
if (part === '..') {
if (normalized.length > 0 && normalized[normalized.length - 1] !== '..') {
normalized.pop();
} else if (!absolute) {
normalized.push('..');
}
} else if (part !== '.' && part !== '') {
normalized.push(part);
}
}
return normalized.join('/');
}
Detection Methods for CVE-2026-27606
Indicators of Compromise
- Unexpected file modifications outside the configured Rollup output directory during build processes
- Build logs showing chunk or asset filenames containing ../ sequences
- Newly created or modified configuration files (e.g., .bashrc, .profile, .gitconfig) with timestamps correlating to build execution times
- Suspicious plugins in node_modules or rollup.config.js that manipulate output filenames
Detection Strategies
- Implement file integrity monitoring (FIM) on critical system and user configuration files to detect unauthorized modifications during build processes
- Audit Rollup configuration files and installed plugins for any filename manipulation that includes path traversal characters
- Review CI/CD pipeline logs for build outputs that reference paths outside expected directories
- Use static analysis tools to scan rollup.config.js and custom plugins for suspicious filename patterns
Monitoring Recommendations
- Enable verbose logging in build systems to capture full output paths for all generated files
- Monitor the output directory structure after builds for any symbolic links or unexpected directory hierarchies
- Implement sandboxing for build processes to limit filesystem write permissions to designated directories only
- Set up alerts for any filesystem writes outside designated build output directories during CI/CD execution
How to Mitigate CVE-2026-27606
Immediate Actions Required
- Upgrade Rollup to patched versions immediately: 2.80.0, 3.30.0, or 4.59.0 depending on your major version line
- Audit all Rollup configurations and installed plugins for potential path traversal payloads
- Review recent build outputs for any files written outside expected output directories
- Implement filesystem sandboxing or restricted permissions for build processes as a defense-in-depth measure
Patch Information
The Rollup maintainers have released patched versions that properly validate output paths and prevent files from being written outside the designated output directory. The fix introduces a join function with proper path normalization and a logFileNameOutsideOutputDirectory error handler in src/Bundle.ts.
Patched versions are available:
For more details, see the GitHub Security Advisory GHSA-mw96-cpmx-2vgc.
Workarounds
- Run Rollup build processes in containerized environments with strict filesystem isolation and read-only mounts for sensitive directories
- Implement pre-build validation scripts that scan configuration files for path traversal sequences before executing Rollup
- Use operating system-level protections to restrict the build process user's write permissions to only the necessary output directory
- Temporarily avoid using CLI named inputs or manual chunk aliases from untrusted sources until patching is complete
# Configuration example - Upgrade Rollup to patched version
npm update rollup@latest
# Or specify the exact patched version for your major version line
npm install rollup@4.59.0 # For v4.x users
npm install rollup@3.30.0 # For v3.x users
npm install rollup@2.80.0 # For v2.x users
# Verify installed version
npx rollup --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
