Rollup v4 Security Alert: Path Traversal Flaw (CVE-2026-27606) Allows Arbitrary File Write

A critical security vulnerability has been disclosed in the widely-used Rollup JavaScript module bundler. The flaw, tracked as CVE-2026-27606, is an arbitrary file write vulnerability stemming from insecure file name sanitization within Rollup's core engine. This path traversal weakness allows an attacker to control output filenames and use directory traversal sequences (`../`) to overwrite files anywhere on the filesystem where the bundler has write permissions.

The vulnerability is present in Rollup v4.x and exists in the current source code. Attack vectors are multiple and practical, including exploitation via CLI named inputs, manual chunk aliases, or malicious plugins. This is not a theoretical issue; it represents a direct mechanism for a bad actor to manipulate the build process and compromise the host system by writing to sensitive locations. The update to version 4.59.0, highlighted in a dependency management pull request, contains the necessary security patches to address this flaw.

The implications are severe for any development pipeline or CI/CD system using a vulnerable version of Rollup. The risk extends beyond the immediate build machine, potentially affecting deployment artifacts and integrated systems. This vulnerability underscores the critical supply chain risks posed by foundational build tools and the necessity of prompt dependency updates, as highlighted by the accompanying OpenSSF Scorecard badge in the advisory.