Rollup v4 Security Flaw: Arbitrary File Write Vulnerability Exposes Build Pipelines

A critical security vulnerability has been disclosed in the widely-used Rollup module bundler, exposing countless JavaScript build pipelines to arbitrary file write attacks. The flaw, tracked as CVE-2026-27606, stems from insecure file name sanitization within Rollup's core engine, specifically in v4.x versions. This path traversal vulnerability allows a malicious actor to control output file paths, potentially leading to the overwriting of critical system files or the injection of malicious code into production builds.

The advisory, published via GitHub's security mechanism, confirms the vulnerability is present in the current source code of Rollup v4. The issue was flagged in an automated dependency update pull request, which sought to upgrade Rollup from version 4.30.0 to the patched 4.59.0. The update is classified with high merge confidence, indicating a stable and recommended fix. The vulnerability's presence in a foundational tool like Rollup—a cornerstone of modern web development toolchains—significantly amplifies its potential impact, as it can be triggered during the standard bundling process of countless applications and libraries.

This discovery places immediate pressure on development and security teams across the software industry to audit and update their dependencies. Any project using an unpatched version of Rollup v4 is at risk. The flaw represents a direct threat to software supply chain integrity, where a compromised or malicious package could exploit this weakness during a build to escalate privileges or establish persistence within a deployed application. Organizations must treat this as a high-priority remediation task to prevent potential breaches stemming from poisoned build artifacts.