Rollup 4 has Arbitrary File Write via Path Traversal
Description
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (../) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rollupnpm | < 2.80.0 | 2.80.0 |
rollupnpm | >= 3.0.0, < 3.30.0 | 3.30.0 |
rollupnpm | >= 4.0.0, < 4.59.0 | 4.59.0 |
Affected products
78- osv-coords77 versionspkg:apk/chainguard/langfuse-2pkg:apk/chainguard/langfuse-2-workerpkg:apk/chainguard/langfuse-3pkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-2pkg:apk/chainguard/langfuse-fips-2-workerpkg:apk/chainguard/langfuse-fips-3pkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/librechatpkg:apk/chainguard/vitepkg:apk/chainguard/vitess-22pkg:apk/chainguard/vitess-23pkg:apk/wolfi/langfuse-3pkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/vitepkg:apk/wolfi/vitess-22pkg:apk/wolfi/vitess-23pkg:npm/rolluppkg:rpm/opensuse/dracut-saltboot&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/golang-github-boynux-squid_exporter&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/golang-github-lusitaniae-apache_exporter&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/golang-github-prometheus-promu&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/golang-github-QubitProducts-exporter_exporter&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/heroic-games-launcher&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/prometheus-blackbox_exporter&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/spacecmd&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/velociraptor&distro=openSUSE%20Tumbleweedpkg:rpm/suse/cockpit&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-Micro-5pkg:rpm/suse/dracut-wireless&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/dracut-wireless&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-Micro-5pkg:rpm/suse/golang-github-boynux-squid_exporter&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/golang-github-boynux-squid_exporter&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-15pkg:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-Micro-5pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-15pkg:rpm/suse/golang-github-prometheus-promu&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205pkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/grafana&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/grafana&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-15pkg:rpm/suse/mgr-push&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/Multi-Linux-ManagerTools-Beta-SLE-Micro-release&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-Micro-5pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-15pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-Micro-5pkg:rpm/suse/prometheus-postgres_exporter&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/python-defusedxml&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/rhnlib&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacecmd&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/spacecmd&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-15pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/supportutils-plugin-susemanager-client&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/uyuni-tools&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/uyuni-tools&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205pkg:rpm/suse/uyuni-tools&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/uyuni-tools&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-Micro-5pkg:rpm/suse/uyuni-tools&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-15pkg:rpm/suse/uyuni-tools&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20SLE-Micro-5pkg:rpm/suse/venv-salt-minion&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-15pkg:rpm/suse/venv-salt-minion&distro=SUSE%20Multi%20Linux%20Manager%20Tools%20Beta%20SLE-Micro-5
< 2.95.12-r12+ 76 more
- (no CPE)range: < 2.95.12-r12
- (no CPE)range: < 2.95.12-r12
- (no CPE)range: < 3.155.1-r3
- (no CPE)range: < 3.155.1-r3
- (no CPE)range: < 2.95.12-r15
- (no CPE)range: < 2.95.12-r15
- (no CPE)range: < 3.155.1-r3
- (no CPE)range: < 3.155.1-r3
- (no CPE)range: < 0.8.2-r6
- (no CPE)range: < 8.0.11-r0
- (no CPE)range: < 22.0.4-r2
- (no CPE)range: < 23.0.3-r2
- (no CPE)range: < 3.155.1-r3
- (no CPE)range: < 3.155.1-r3
- (no CPE)range: < 8.0.11-r0
- (no CPE)range: < 22.0.4-r2
- (no CPE)range: < 23.0.3-r2
- (no CPE)range: < 2.80.0
- (no CPE)range: < 1.1.0-150000.1.65.1
- (no CPE)range: < 1.13.0-150000.1.12.1
- (no CPE)range: < 1.0.10-150000.1.26.1
- (no CPE)range: < 0.17.0-150000.3.30.1
- (no CPE)range: < 0.4.0-150000.1.21.1
- (no CPE)range: < 2.20.0-2.1
- (no CPE)range: < 0.26.0-150000.1.30.2
- (no CPE)range: < 5.0.15-150000.3.142.1
- (no CPE)range: < 0.7.0.4.git185.a5708584-2.1
- (no CPE)range: < 298-150500.3.12.1
- (no CPE)range: < 1.1.0-150000.1.65.1
- (no CPE)range: < 1.1.0-150000.1.65.1
- (no CPE)range: < 1.1.0-159000.2.2.1
- (no CPE)range: < 1.1.0-159000.2.2.1
- (no CPE)range: < 0.1.1595937550.0285244-159000.2.2.1
- (no CPE)range: < 0.1.1595937550.0285244-159000.2.2.1
- (no CPE)range: < 1.13.0-150000.1.12.1
- (no CPE)range: < 1.13.0-159000.2.2.1
- (no CPE)range: < 1.0.10-150000.1.26.1
- (no CPE)range: < 1.0.10-159000.2.2.1
- (no CPE)range: < 1.0.10-150002.3.6.1
- (no CPE)range: < 0.28.1-159000.12.2.1
- (no CPE)range: < 1.9.1-159000.4.2.1
- (no CPE)range: < 1.9.1-159000.4.2.1
- (no CPE)range: < 3.5.0-150000.3.67.1
- (no CPE)range: < 3.5.0-159000.4.3.2
- (no CPE)range: < 3.5.0-150002.3.8.1
- (no CPE)range: < 0.17.0-150000.3.30.1
- (no CPE)range: < 0.4.0-150000.1.21.1
- (no CPE)range: < 0.4.0-150000.1.21.1
- (no CPE)range: < 0.4.0-159000.2.2.1
- (no CPE)range: < 11.6.11-150000.1.90.1
- (no CPE)range: < 11.6.11-159000.2.3.2
- (no CPE)range: < 11.6.14+security01-150002.4.14.1
- (no CPE)range: < 5.2.3-159000.2.3.1
- (no CPE)range: < 5-159000.3.3.1
- (no CPE)range: < 0.26.0-150000.1.30.2
- (no CPE)range: < 0.26.0-150000.1.30.2
- (no CPE)range: < 0.26.0-159000.2.2.1
- (no CPE)range: < 0.26.0-150002.3.6.1
- (no CPE)range: < 0.26.0-150002.3.6.1
- (no CPE)range: < 0.10.1-159000.2.2.1
- (no CPE)range: < 0.7.1-159000.4.2.1
- (no CPE)range: < 5.2.4-159000.4.3.1
- (no CPE)range: < 5.0.15-150000.3.142.1
- (no CPE)range: < 5.2.6-159000.4.3.1
- (no CPE)range: < 5.1.13-150002.3.9.3
- (no CPE)range: < 5.2.4-159000.4.3.1
- (no CPE)range: < 1.2.3-159000.4.2.1
- (no CPE)range: < 5.2.2-159000.4.2.1
- (no CPE)range: < 5.2.3-159000.2.3.1
- (no CPE)range: < 0.1.38-150000.1.30.1
- (no CPE)range: < 0.1.38-150000.1.30.1
- (no CPE)range: < 5.2.5-159000.2.3.2
- (no CPE)range: < 5.2.5-159000.2.3.2
- (no CPE)range: < 5.1.26-150002.3.12.1
- (no CPE)range: < 5.1.26-150002.3.12.1
- (no CPE)range: < 3006.0-159000.5.3.2
- (no CPE)range: < 3006.0-159000.5.3.2
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-mw96-cpmx-2vgcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27606ghsaADVISORY
- github.com/rollup/rollup/commit/c60770d7aaf750e512c1b2774989ea4596e660b2ghsax_refsource_MISCWEB
- github.com/rollup/rollup/commit/c8cf1f9c48c516285758c1e11f08a54f304fd44eghsax_refsource_MISCWEB
- github.com/rollup/rollup/commit/d6dee5e99bb82aac0bee1df4ab9efbde455452c3ghsax_refsource_MISCWEB
- github.com/rollup/rollup/releases/tag/v2.80.0ghsax_refsource_MISCWEB
- github.com/rollup/rollup/releases/tag/v3.30.0ghsax_refsource_MISCWEB
- github.com/rollup/rollup/releases/tag/v4.59.0ghsax_refsource_MISCWEB
- github.com/rollup/rollup/security/advisories/GHSA-mw96-cpmx-2vgcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.