Two vulnerabilities have been identified in Node.js, both of which affect users employing specific experimental features. The first vulnerability involves the experimental permission model, particularly when the --allow-fs-read flag is used. This flaw allows malicious actors to retrieve file stats via the fs.lstat API, even for files they do not have explicit read access to, thereby compromising the intended file access restrictions. This issue impacts users of Node.js versions 20 and 21. The second vulnerability allows the bypassing of network import restrictions by embedding non-network imports within data URLs, enabling attackers to execute arbitrary code. This flaw poses significant security risks to developers and servers, as it can be exploited to violate network import security. To mitigate this issue, data URLs in network imports are now forbidden.