fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the --allow-fs-read flag in Node.js 20. This flaw arises from a missing check in the fs.openAsBlob() API. This vulnerability affects all users using the experimental permission model in Node.js 20. Thanks to Colin Ihrig for reporting this vulnerability and to Rafael Gonzaga for fixing it. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.