Node.js Permission Model Filesystem Bypass Vulnerability in fs.realpathSync.native()

A vulnerability exists in the Node.js Permission Model's filesystem enforcement, specifically in the realpathSync.native() function. This function lacks the necessary read permission checks, unlike other similar filesystem functions that enforce these checks correctly. Consequently, in Node.js processes running under the Permission Model with restricted --allow-fs-read, fs.realpathSync.native() can still be used to check file existence, resolve symlink targets, and enumerate filesystem paths outside of allowed directories. This issue affects Node.js versions 20.x, 22.x, 24.x, and 25.x.

Impact

Exploitation of this vulnerability allows unauthorized file existence checks, symlink resolution, and enumeration of filesystem paths outside permitted directories, potentially leading to information disclosure or unauthorized access to files.

Remediation

Users can update to the latest Node.js versions in the 20.x, 22.x, 24.x, and 25.x release lines to address this vulnerability.