Stif

**Name of the Vulnerable Software and Affected Versions** Node.js versions 20.x through 25.x **Description** A flaw exists in the Node.js Permission Model's filesystem enforcement, specifically leaving the `fs.realpathSync.native()` function without the necessary read permission checks. Comparable filesystem functions correctly enforce these checks. Consequently, code operating under the `--permission` flag with restricted `--allow-fs-read` can still utilize `fs.realpathSync.native()` to verify file existence, resolve symbolic link targets, and list filesystem paths outside of authorized directories. The vulnerable function is `fs.realpathSync.native()`. The affected API endpoint is not explicitly mentioned. **Recommendations** Versions 20.x through 25.x are affected and require mitigation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.