A flaw in the Node.js Permission API allows an application to change file metadata even when the target path has been marked read‑only with flags such as --allow-fs-read, enabling unexpected alteration of non‑executable attributes. This weakness falls under the Incorrect Default Permissions category and permits modification of data that should otherwise be immutable, potentially leading to configuration drift, audit failures, or subtle integrity violations. The impact is primarily a data integrity issue that could aid in further exploitation if metadata changes affect security controls or application logic.

The vulnerability affects all currently supported Node.js release lines, including Node.js 22, Node.js 24, and Node.js 26. It is relevant to any deployment that employs the Permission API with read‑ flags, regardless of operating system or runtime environment.

The CVSS score of 3.3 reflects a low severity impact. The EPSS score is 0.00149 (<1%), and the vulnerability is not listed in CISA KEV, indicating low public exploitation pressure. The likely attack surface is local filesystem interaction within the Node.js runtime, requiring the attacker to run code with the same privileges as the application. Because the flaw permits changing non‑executable metadata on paths intended to, an attacker with local code execution could modify configuration details or other metadata that affects application behavior, but would not gain remote code execution or full control of the system on its own.