Rollup v4 Security Alert: Path Traversal Vulnerability (CVE-2026-27606) Exposes Projects to Arbitrary File Write

A critical security vulnerability in the widely-used Rollup module bundler exposes countless JavaScript projects to arbitrary file write attacks. The flaw, tracked as CVE-2026-27606, stems from insecure file name sanitization within Rollup's core engine, specifically in versions 4.x. This path traversal vulnerability allows an attacker to control output filenames, potentially overwriting critical system files or injecting malicious code into a build pipeline.

The vulnerability is present in the current source code and can be exploited through multiple vectors, including CLI named inputs, manual chunk aliases, or other maliciously crafted inputs. The security advisory from Rollup's GitHub repository confirms the issue, prompting an urgent update to version 4.59.0. The update patches the insecure sanitization logic that failed to properly validate and restrict file paths, a fundamental failure in a tool responsible for packaging application code.

This vulnerability poses a direct risk to the software supply chain. Any project using a vulnerable version of Rollup as part of its build process could be compromised if an attacker can influence the build configuration or input. The immediate pressure is on development and security teams to audit their dependencies and apply the patch. The flaw underscores the persistent security challenges in foundational open-source tooling, where a single bug in a high-dependency package can have cascading effects across the ecosystem.