Source: node-rollup Version: 3.29.5-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-rollup. CVE-2026-27606[0]: | Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, | 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x | and present in current source) is vulnerable to an Arbitrary File | Write via Path Traversal. Insecure file name sanitization in the | core engine allows an attacker to control output filenames (e.g., | via CLI named inputs, manual chunk aliases, or malicious plugins) | and use traversal sequences (`../`) to overwrite files anywhere on | the host filesystem that the build process has permissions for. This | can lead to persistent Remote Code Execution (RCE) by overwriting | critical system or user configuration files. Versions 2.80.0, | 3.30.0, and 4.59.0 contain a patch for the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-27606 https://www.cve.org/CVERecord?id=CVE-2026-27606 [1] https://github.com/rollup/rollup/security/advisories/GHSA-mw96-cpmx-2vgc Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
