Rollup Module Bundler Path Traversal Vulnerability Leading to Arbitrary File Write

A vulnerability allowing arbitrary file writes via path traversal has been identified in the Rollup module bundler. This issue affects versions prior to 2.80.0, as well as versions 3.0.0 through 3.29.9 and 4.0.0 prior to 4.59.0. The vulnerability arises from inadequate file name sanitization in the core engine, which enables attackers to manipulate output file names using traversal sequences to overwrite files on the host filesystem. This can result in persistent remote code execution by altering critical system or user configuration files.

Impact

Exploitation of this vulnerability allows for arbitrary file writes, with the potential to overwrite sensitive files such as user configuration files or critical system files. This could lead to unauthorized code execution on the affected system.

Reproduction

The vulnerability can be reproduced by using the Rollup CLI or a configuration file that includes a file name with traversal sequences. For example, a file name like 'bypass/../../../../../../../Users/vaghe/OneDrive/Desktop/pwned_desktop.js' can be used to exploit the vulnerability by overwriting a file on the desktop.

Remediation

Users can update to Rollup versions 2.80.0, 3.30.0, or 4.59.0, which include patches for this vulnerability.