Colin Ihrig

**Name of the Vulnerable Software and Affected Versions** Node.js version 20 **Description** The issue is related to the `fs.openAsBlob()` method in Node.js, which can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag. This flaw arises from a missing check in the `fs.openAsBlob()` API. The permission model is an experimental feature of Node.js. **Recommendations** For Node.js version 20, consider disabling the `fs.openAsBlob()` function until a patch is available to prevent bypassing the experimental permission model. Restrict access to the file system read restriction with the `--allow-fs-read` flag to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Node.js version 20 **Description** A flaw has been identified in the experimental permission model of Node.js when the `--allow-fs-read` flag is used with a non-* argument. This issue arises from an inadequate permission model that fails to restrict file watching through the `fs.watchFile` API, allowing malicious actors to monitor files they do not have explicit read access to. **Recommendations** For Node.js version 20, consider disabling the experimental permission model or restricting the use of the `--allow-fs-read` flag with non-* arguments until a patch is available. As a temporary workaround, avoid using the `fs.watchFile` API with sensitive files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.