The Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (../) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files.
The vulnerability is caused by the combination of two flawed components in the Rollup core:
Improper Sanitization: In src/utils/sanitizeFileName.ts, the INVALID_CHAR_REGEX used to clean user-provided names for chunks and assets excludes the period (.) and forward/backward slashes (/, \).
// src/utils/sanitizeFileName.ts (Line 3)
const INVALID_CHAR_REGEX = /[\u0000-\u001F"#$%&*+,:;<=>?[\]^`{|}\u007F]/g;
This allows path traversal sequences like ../../ to pass through the sanitizer unmodified.
Unsafe Path Resolution: In src/rollup/rollup.ts, the writeOutputFile function uses path.resolve to combine the output directory with the "sanitized" filename.
// src/rollup/rollup.ts (Line 317)
const fileName = resolve(outputOptions.dir || dirname(outputOptions.file!), outputFile.fileName);
Because path.resolve follows the ../ sequences in outputFile.fileName, the resulting path points outside of the intended output directory. The subsequent call to fs.writeFile completes the arbitrary write.
A demonstration of this vulnerability can be performed using the Rollup CLI or a configuration file.
Scenario: CLI Named Input Exploit
pwned.js).2.80.03.30.04.59.0Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:HVI:HVA:NSubsequent System
SC:NSI:NSA:N8.8/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P