MEDIUM · CVSS 6.1
CVE-2024-47068 — Rollup dev-mode XSS
A development-mode XSS in Rollup's sourcemap handling could execute attacker-controlled JavaScript in the browser of a developer serving a poisoned sourcemap.
Affects
- rollup < 2.79.2
- rollup < 3.29.5
- rollup < 4.22.4
What an attacker does
The attacker supplies a crafted module URL resolved by a Rollup-based dev server (Vite). A developer browsing the dev-server page executes attacker JavaScript in the browser context — usable to exfiltrate dev-server state, local files, or cookies.
How to detect
Check Vite / SvelteKit / Nuxt version; each pins Rollup.
How to fix
Upgrade Vite / SvelteKit / Nuxt to current. Never expose the dev server to the internet.
How Securie catches it
Securie flags Rollup in the dev-dependency chain of modern frontend frameworks.