A straightforward path traversal issue in NodeJS. Node’s fs functions allow specifying paths in the form of either strings or Uint8Array objects. It seems the support for Uint8Array is for the Buffer class which extends from Uint8Array. Node’s new experimental permission model will check for path traversal in the fs function family. However, while strings and Buffer objects are checked, Uint8Array objects simply aren’t and can bypass the path traversal checks.