[Pkg-javascript-devel] Bug#1129260: node-rollup: CVE-2026-27606
Salvatore Bonaccorso
carnil at debian.org
Sat Feb 28 11:07:37 GMT 2026
Source: node-rollup
Version: 3.29.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for node-rollup.
CVE-2026-27606[0]:
| Rollup is a module bundler for JavaScript. Versions prior to 2.80.0,
| 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x
| and present in current source) is vulnerable to an Arbitrary File
| Write via Path Traversal. Insecure file name sanitization in the
| core engine allows an attacker to control output filenames (e.g.,
| via CLI named inputs, manual chunk aliases, or malicious plugins)
| and use traversal sequences (`../`) to overwrite files anywhere on
| the host filesystem that the build process has permissions for. This
| can lead to persistent Remote Code Execution (RCE) by overwriting
| critical system or user configuration files. Versions 2.80.0,
| 3.30.0, and 4.59.0 contain a patch for the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-27606
https://www.cve.org/CVERecord?id=CVE-2026-27606
[1] https://github.com/rollup/rollup/security/advisories/GHSA-mw96-cpmx-2vgc
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list