Rollup v4 Security Alert: Arbitrary File Write Vulnerability Exposes Build Systems (CVE-2026-27606)

A critical path traversal vulnerability in the widely used Rollup JavaScript module bundler exposes build systems to arbitrary file writes. The flaw, tracked as CVE-2026-27606, stems from insecure filename sanitization within Rollup's core engine, allowing an attacker to control output filenames and potentially overwrite critical system files.

The vulnerability is present in Rollup v4.x and exists in the current source code. Attack vectors include manipulation via CLI named inputs, manual chunk aliases, or other malicious inputs that bypass the flawed sanitization logic. This is not a theoretical risk; it is a direct path for an attacker to compromise the integrity of a build pipeline and the host system it runs on. The security advisory was published directly by the Rollup maintainers on GitHub, confirming the severity.

The immediate pressure is on development and DevOps teams to patch. The fix is included in the latest release, version 4.59.0, which this GitHub pull request aims to apply. Any project using an older v4.x version for bundling production code is at risk. This vulnerability places scrutiny on the security of the entire JavaScript toolchain, where a single compromised dependency in a build tool can have cascading effects. The update is marked as a security priority, signaling that delaying this patch could leave development environments and CI/CD pipelines exposed to active exploitation.