@@ -320,9 +320,17 @@ the community they pose.
320320 * Avoid exposing low-level or dangerous APIs directly to untrusted users.
321321
322322* Examples of scenarios that are ** not** Node.js vulnerabilities:
323- * Allowing untrusted users to register SQLite user-defined functions that can
324- perform arbitrary operations (e.g., closing database connections during query
325- execution, causing crashes or use-after-free conditions).
323+ * Allowing untrusted users to register SQLite user-defined functions via
324+ ` node:sqlite ` (` DatabaseSync ` ) that can perform arbitrary operations
325+ (e.g., closing database connections during query execution, causing crashes
326+ or use-after-free conditions).
327+ * Loading SQLite extensions using the ` allowExtension ` option in
328+ ` DatabaseSync ` — this option must be explicitly set to ` true ` by the
329+ application, and enabling it is the application operator's responsibility.
330+ * Using ` node:sqlite ` built-in SQL functions or pragmas (e.g.,
331+ ` ATTACH DATABASE ` ) to read or write files — ` DatabaseSync ` operates with
332+ the same file-system access as the process itself, and it is the
333+ application's responsibility to restrict what SQL is executed.
326334 * Exposing ` child_process.exec() ` or similar APIs to untrusted users without
327335 proper input validation, allowing command injection.
328336 * Allowing untrusted users to control file paths passed to file system APIs
@@ -362,6 +370,56 @@ the community they pose.
362370 responsibility to properly handle errors by attaching appropriate
363371 ` 'error' ` event listeners to EventEmitters that may emit errors.
364372
373+ #### Permission Model Boundaries (` --permission ` )
374+
375+ The Node.js [ Permission Model] ( https://nodejs.org/api/permissions.html )
376+ (` --experimental-permission ` ) is an opt-in mechanism that limits which
377+ resources a Node.js process may access. It is designed to reduce the blast
378+ radius of mistakes in trusted application code, ** not** to act as a security
379+ boundary against intentional misuse or a compromised process.
380+
381+ The following are ** not** vulnerabilities in Node.js:
382+
383+ * ** Operator-controlled flags** : Behavior unlocked by flags the operator
384+ explicitly passes (e.g., ` --localstorage-file ` ) is the operator's
385+ responsibility. The permission model does not restrict how Node.js behaves
386+ when the operator intentionally configures it.
387+
388+ * ** ` node:sqlite ` and the permission model** : ` DatabaseSync ` operates with the
389+ same file-system privileges as the process. Using SQL pragmas or built-in
390+ SQLite mechanisms (e.g., ` ATTACH DATABASE ` ) to access files does not bypass
391+ the permission model — the permission model does not intercept SQL-level
392+ file operations.
393+
394+ * ** Path resolution and symlinks** : ` fs.realpathSync() ` , ` fs.realpath() ` , and
395+ similar functions resolve a path to its canonical form before the permission
396+ check is applied. Accessing a file through a symlink that resolves to an
397+ allowed path is the intended behavior, not a bypass. TOCTOU races on
398+ symlinks that resolve within the allowed list are similarly not considered
399+ permission model bypasses.
400+
401+ * ** ` worker_threads ` with modified ` execArgv ` ** : Workers inherit the permission
402+ restrictions of their parent process. Passing an empty or modified ` execArgv `
403+ to a worker does not grant it additional permissions.
404+
405+ #### V8 Sandbox
406+
407+ The V8 sandbox is an in-process isolation mechanism internal to V8 that is not
408+ a Node.js security boundary. Node.js does not guarantee or document the V8
409+ sandbox as a security feature, and it is not enabled in a way that provides
410+ security guarantees in production Node.js builds. Reports about escaping the V8
411+ sandbox are not considered Node.js vulnerabilities; they should be reported
412+ directly to the [ V8 project] ( https://v8.dev/docs/security-bugs ) .
413+
414+ #### CRLF Injection in ` writeEarlyHints() `
415+
416+ ` ServerResponse.writeEarlyHints() ` accepts a ` link ` header value that is set
417+ by the application. Passing arbitrary strings, including CRLF sequences, as
418+ the ` link ` value is an application-level misuse of the API, not a Node.js
419+ vulnerability. Node.js validates the structure of Early Hints per the HTTP spec
420+ but does not sanitize free-form application data passed to it; that is the
421+ application's responsibility.
422+
365423## Assessing experimental features reports
366424
367425Experimental features are eligible for security reports just like any other
0 commit comments