CVE-2026-27606 - Rollup path traversal arbitrary write

Rollup versions before the fixed release lines can write build output outside the intended output directory when attacker-controlled chunk, asset, or named input values contain path traversal. In practical repositories, exposure is highest where CI or developer tooling builds untrusted repositories, plugins, workspace packages, tenant themes, generated code, or externally supplied configuration with filesystem write privileges.

The patch path is an upgrade, but a reviewer-ready fix should also identify whether untrusted build inputs or plugins exist. Otherwise the same class can reappear through custom Rollup wrappers, plugin output names, or build systems that run with package-publish and deploy credentials.

When to use it

Use this recipe when a repository uses Rollup directly or transitively through Vite, Svelte, Storybook, local packages, plugin wrappers, generated code, or marketplace/tenant/theme build workflows. It is designed for source-code and build-chain remediation, untrusted build-input review, canonical output containment, credential hygiene, and evidence that build outputs cannot write outside intended directories.

Inputs

  • Rollup version, package manager and lockfile state, transitive bundler owners, build scripts, plugin/wrapper code, CI images, devcontainers, SBOMs, and generated dependency reports.
  • Source/config paths that set chunk names, asset names, named inputs, plugin-generated file names, tenant/theme/sample builds, release packaging, or output directory handling.
  • Regression fixtures for traversal output names, absolute paths, symlinks, benign assets, plugin-emitted files, temporary output roots, and denied out-of-root writes.
  • Boundary evidence: untrusted build sources, fork/PR/marketplace workflows, package-publish/signing/deploy/cloud credentials, image owners, logs, and rollout owner.

Affected versions

Package Vulnerable versions Fixed versions
rollup <2.80.0 2.80.0+
rollup >=3.0.0, <3.30.0 3.30.0+
rollup >=4.0.0, <4.59.0 4.59.0+

NVD scores this CVE as Critical under CVSS 3.1, while GitHub Advisory Database currently lists it as High. The remediation target is the same in both sources.

Indicator-of-exposure

  • The repository resolves rollup in one of the affected ranges through npm, pnpm, yarn, bun, lockfiles, vendored packages, generated dependency reports, SBOMs, Docker layers, CI images, or framework tooling.
  • Build commands allow untrusted or semi-trusted users to influence Rollup named inputs, output.entryFileNames, output.chunkFileNames, output.assetFileNames, manualChunks, plugin-generated file names, theme builds, extension bundles, tenant assets, or generated package names.
  • CI builds pull requests, forks, templates, plugins, low-code assets, browser extensions, customer themes, or documentation sandboxes with write access to the workspace, cache, release directory, package registry, or deployment artifacts.
  • Rollup runs in jobs that also hold npm tokens, GitHub tokens, deploy keys, cloud credentials, signing keys, SSH keys, SBOM/provenance credentials, or release-promotion permissions.
  • Custom wrappers around Rollup write output files by resolving untrusted file names against a build directory without checking the final path remains inside that directory.

Quick checks:

rg -n "\"rollup\"|rollup\\.config|manualChunks|entryFileNames|chunkFileNames|assetFileNames|emitFile|this\\.emitFile|generateBundle|writeBundle|output\\.dir|--dir|--input|vite|svelte|storybook|plugin" .
npm ls rollup
pnpm why rollup
yarn why rollup
bun pm ls rollup

Windows:

rg -n "\"rollup\"|rollup\.config|manualChunks|entryFileNames|chunkFileNames|assetFileNames|emitFile|this\.emitFile|generateBundle|writeBundle|output\.dir|--dir|--input|vite|svelte|storybook|plugin" .
npm ls rollup
pnpm why rollup
yarn why rollup
bun pm ls rollup

Do not run arbitrary path traversal proofs, write outside the repository, or execute untrusted Rollup plugins during triage.

Remediation strategy

  • Upgrade rollup to the fixed release for the current major line: 2.80.0+, 3.30.0+, or 4.59.0+.
  • Refresh lockfiles, package-manager metadata, generated dependency reports, SBOMs, container layers, devcontainer images, CI runner images, and release artifacts.
  • Find every build path where untrusted input can affect Rollup output names or plugin-generated assets. Add repository-local guards where wrappers or plugins construct output paths.
  • For custom build wrappers, normalize final paths with the platform path API and reject writes outside the intended output root after symlink-aware path resolution where practical.
  • Run untrusted builds in a restricted workspace without package-publish, deploy, signing, cloud, or repository-write credentials.
  • If upgrade is blocked, disable untrusted Rollup builds and custom plugins, or force a reviewed static output-name policy until the fixed version can ship.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-27606 / GHSA-mw96-cpmx-2vgc, a Rollup path
traversal issue that can write files outside the configured build output
directory. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Rollup, refreshes generated
  artifacts, identifies untrusted build surfaces, adds safe path-boundary tests
  or guards where this repository owns wrappers/plugins, and documents operator
  containment, or
- TRIAGE.md if this repository does not own an affected Rollup dependency,
  build wrapper, plugin, image, or deployable build pipeline.

## Rules

- Scope only CVE-2026-27606 / GHSA-mw96-cpmx-2vgc and directly related Rollup
  build, plugin, output-path, CI, and release controls.
- Treat release artifacts, package publish tokens, signing keys, deploy keys,
  cloud credentials, SBOM/provenance credentials, source archives, generated
  bundles, and workspace caches as sensitive.
- Do not run exploit commands, write outside the repository, test against live
  release directories, execute untrusted plugins, or print secret-bearing build
  environment values.
- Do not remove build integrity checks, provenance, signing, package publishing
  verification, or tests to silence the advisory.
- Do not auto-merge.

## Steps

1. Inventory every Rollup consumer controlled by this repository: package
   manifests, lockfiles, workspaces, Vite/Svelte/Storybook integrations,
   Dockerfiles, devcontainers, CI images, generated dependency reports, SBOMs,
   build scripts, local plugins, custom wrappers, and release packaging.
2. Determine every resolved `rollup` version. A target is vulnerable if it
   resolves to `<2.80.0`, `>=3.0.0, <3.30.0`, or `>=4.0.0, <4.59.0`.
3. Search for output-name control points: `--input`, named inputs,
   `entryFileNames`, `chunkFileNames`, `assetFileNames`, `manualChunks`,
   `emitFile`, `generateBundle`, `writeBundle`, custom plugin code, generated
   package names, tenant/theme builds, extension builds, and docs sandboxes.
4. Search build environments for token-bearing steps by secret name only:
   `GITHUB_TOKEN`, npm publish tokens, signing keys, deploy keys, cloud
   credentials, provenance credentials, SSH keys, and package registry tokens.
   Never print values.
5. If Rollup is absent, only supplied by an external platform, or already fixed
   with no repository-owned wrapper/plugin surface, stop with `TRIAGE.md`
   listing checked files, resolved versions, and the external owner if any.
6. Upgrade Rollup on the current major line to `2.80.0+`, `3.30.0+`, or
   `4.59.0+`. Refresh lockfiles, generated dependency reports, SBOMs, image
   metadata, deployment artifacts, and docs that pin the build chain.
7. Where this repository owns Rollup wrappers or plugins that create output
   paths, add a safe join helper or equivalent guard:
   - normalize the candidate path;
   - resolve it against the intended output root;
   - reject paths that escape the output root;
   - reject absolute paths from untrusted inputs;
   - test Windows and POSIX separators.
8. Add safe regression coverage:
   - dependency policy rejects vulnerable Rollup ranges;
   - wrapper/plugin path guards reject traversal-like file names without
     writing files outside a temporary output root;
   - untrusted pull-request or plugin builds run without publish, deploy, or
     signing secrets;
   - generated artifacts and SBOMs name the fixed version.
9. Add a PR body section named `CVE-2026-27606 operator actions` that states:
   - Rollup versions before and after;
   - which apps, packages, or build systems were affected;
   - whether untrusted build inputs or plugins can influence output names;
   - which path-boundary tests or guards were added;
   - whether build caches, generated artifacts, or runner images must be
     cleaned;
   - whether package, signing, or deploy credentials were adjacent and need
     audit or rotation;
   - which validation commands passed.
10. Run relevant validation: package install, lockfile integrity, lint,
    typecheck, unit tests, build, plugin/wrapper tests, image build, SBOM
    refresh, dependency/security scans, and release dry-run if available.
11. Use PR title:
    `fix(sec): remediate CVE-2026-27606 in Rollup builds`.

## Stop conditions

- No affected Rollup version, build pipeline, image, wrapper, plugin, or
  generated artifact is controlled by this repository.
- Rollup is supplied only by an external platform or base image; document the
  owner and required fixed version.
- Upgrading Rollup requires a broader framework or bundler migration outside
  this PR's ownership.
- Verification would require exploit output names against live workspaces,
  executing untrusted plugins, writing outside the repository, or exposing
  secret-bearing build environments.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades Rollup, refreshes lockfiles/generated artifacts, hardens owned output-name handling, separates untrusted builds from secrets, and adds path-containment tests where owned.
  • Or a TRIAGE.md file that lists inspected package files/build wrappers, owner, observed version, untrusted build boundary, output roots, required fix, and residual risk.
  • The output must include exact validation commands and must not execute untrusted plugins, write outside temporary test directories, expose build secrets, or run release/publish/deploy jobs during triage.

Verification - what the reviewer looks for

  • No controlled package manifest, lockfile, image, SBOM, or dependency report resolves Rollup in the vulnerable ranges.
  • Any repository-owned Rollup wrapper or plugin that handles untrusted output names proves final writes stay under the intended output directory.
  • CI separates untrusted builds from package-publish, signing, deploy, and cloud credentials.
  • Generated artifacts, Docker layers, devcontainers, and release metadata agree on the fixed Rollup version.
  • Tests use temporary directories and inert names; they do not write outside the repository or execute untrusted plugin code.

Watch for

  • Updating direct rollup dependencies while Vite, Svelte, Storybook, or local packages still resolve a vulnerable transitive copy.
  • Forgetting build images, devcontainers, generated SBOMs, or release packaging scripts.
  • Assuming output-name guards are safe because they strip ../ before path normalization.
  • Running untrusted fork builds with npm publish, signing, deploy, or cloud credentials.
  • Treating plugin-generated assets as trusted when plugins come from user, tenant, marketplace, or sample-project content.

References