Consider the following command on Node v20.0.0:
node --experimental-permission --allow-fs-read=* --allow-fs-write=/home/kali/restricted/ poc.js
This command is intended to restrict write access to only files present in the directory /home/kali/restricted
However if we have the following poc.js:
const fs = module.require('fs')
fs.writeFileSync("/home/kali/restricted/../secret.txt", "Target Overwritten!")
This apparently matches the directory /home/kali/restricted/ directory check and then writes to /home/kali/secret.txt (by using …/), which is not intended, bypassing the experimental permission policy for files.
Path traversal when checking experimental file permission policy