Directory traversal in rollup-plugin-server

Description

This affects all versions of package rollup-plugin-dev-server. There is no path sanitization in readFile operation inside the readFileFromContentBase function.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 0.7.0

References

• GHSA-vr98-27qj-3c8q
• snyk.io
• CVE-2020-7686
• CWE-22
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Directory traversal in rollup-plugin-server - rollup-plugin-server - CVE-2020-7683
• Path traversal in rollup-plugin-serve - CVE-2020-7684
• Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory - CVE-2026-30848
• Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write - CVE-2026-35214

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Exploiting Server Version Disclosure

Update Cheat Sheet for Developers

Tags:

npm

rollup-plugin-server