Rollup v4 Security Alert: Path Traversal Flaw (CVE-2026-27606) Exposes Projects to Arbitrary File Write

A critical security vulnerability has been disclosed in the widely-used Rollup module bundler, exposing countless JavaScript projects to arbitrary file overwrite attacks. The flaw, tracked as CVE-2026-27606, stems from insecure filename sanitization within Rollup's core engine. This allows an attacker to inject path traversal sequences (`../`) through various vectors—including CLI named inputs, manual chunk aliases, or malicious plugins—to write files outside the intended output directory, potentially overwriting critical system files.

The vulnerability is present in Rollup v4.x and exists in the current source code. The advisory, published via GitHub's security mechanism, indicates the issue is not just theoretical; it is exploitable by controlling output filenames. This represents a significant supply chain risk, as Rollup is a foundational build tool for the modern web development ecosystem, integrated into countless CI/CD pipelines and deployment workflows.

The immediate pressure is on development teams to update their dependency to the patched version, [email protected], as referenced in the automated pull request. The presence of an OpenSSF Scorecard badge in the alert underscores the formal security scrutiny applied to the project. Failure to patch leaves build systems vulnerable to compromise, where a single malicious input could corrupt deployment artifacts or critical configuration files, disrupting operations and integrity. This incident highlights the persistent security challenges within core open-source tooling that underpins global software infrastructure.