This vulnerability in Node.js stems from improper enforcement of the permission model on the fs.realpathSync.native() function. While other filesystem functions correctly enforce read permission restrictions under the --permission flag with limited --allow-fs-read, fs.realpathSync.native() does not. This allows processes running with restricted filesystem read permissions to access information about files and directories outside their permitted scope by checking file existence, resolving symbolic links, and enumerating paths. Affected versions include Node.js 20.x, 22.x, 24.x, 25.x, and earlier major versions. The CVSS 3.0 vector indicates the attack requires local access with low complexity and privileges, does not require user interaction, and impacts confidentiality with no integrity or availability impact.

The vulnerability allows limited unauthorized information disclosure by bypassing intended filesystem read restrictions. Specifically, it enables code with restricted filesystem read permissions to determine file existence, resolve symlinks, and enumerate filesystem paths outside the allowed directories. This could lead to exposure of filesystem structure or presence of sensitive files but does not allow modification or denial of service. The CVSS score of 3.3 and low severity rating reflect this limited confidentiality impact. There are no known exploits in the wild.

Patch status is not yet confirmed — check the official Node.js vendor advisory for current remediation guidance. Until a fix is available, avoid running untrusted code with restricted --allow-fs-read permissions relying on fs.realpathSync.native() for security enforcement. Consider using alternative filesystem functions that correctly enforce permission checks or implement additional access controls at the application level. Monitor Node.js security channels for updates regarding patches or official fixes.