Description
The Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (../) to overwrite files anywhere on the host filesystem that the build process has permissions for.
Recommendation
Update the rollup package to the latest compatible version. Followings are version details:
Affected version(s): **>= 4.0.0, < 4.59.0 >= 3.0.0, < 3.30.0 < 2.80.0** Patched version(s): **4.59.0 3.30.0 2.80.0**
References
Related Issues
- ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction - CVE-2026-32731
- @mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools - CVE-2026-33989
- FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
- @appium/support has a Zip Slip arbitrary file write in its ZIP extraction - CVE-2026-30973
- Tags:
- npm
- rollup
Anything's wrong? Let us know Last updated on February 25, 2026