Rollup v4 Security Alert: Path Traversal Flaw (CVE-2026-27606) Exposes Projects to Arbitrary File Write

A critical security vulnerability has been disclosed in the widely-used Rollup JavaScript module bundler, exposing countless development projects to arbitrary file write attacks. The flaw, tracked as CVE-2026-27606, stems from insecure file name sanitization within Rollup's core engine, specifically in versions 4.x. This path traversal vulnerability allows an attacker to control output filenames, potentially overwriting critical system files or injecting malicious code into a project's build output.

The vulnerability is present in the current source code and can be exploited through multiple vectors, including CLI named inputs, manual chunk aliases, or other maliciously crafted inputs. The advisory from Rollup's GitHub security page confirms the issue affects the bundler's core functionality, making it a systemic risk for any project using a vulnerable version. The dependency update PR explicitly flags this as a security update, moving from version 4.54.0 to the patched 4.59.0.

This is not a theoretical risk; it represents a direct pipeline for supply chain attacks. Any project that bundles dependencies with a vulnerable version of Rollup could have its build process compromised, leading to the silent insertion of backdoors or the destruction of key files. The widespread adoption of Rollup across the JavaScript and Node.js ecosystems means the potential blast radius is significant, affecting applications, libraries, and frameworks that rely on it for production builds. Developers are under immediate pressure to apply the v4.59.0 patch to sever this attack vector.