Directory traversal in rollup-plugin-server - rollup-plugin-server

Description

This affects all versions of package rollup-plugin-server. There is no path sanitization in readFile operation performed inside the readFileFromContentBase function.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 0.7.0

References

• GHSA-34gh-3cwv-wvp2
• snyk.io
• CVE-2020-7683
• CWE-22
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Directory traversal in rollup-plugin-server - CVE-2020-7686
• Path traversal in rollup-plugin-serve - CVE-2020-7684
• MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827 - CVE-2025-67898
• Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write - CVE-2026-35214

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Exploiting Server Version Disclosure

Update Cheat Sheet for Developers

Tags:

npm

rollup-plugin-server