process.permission.deny() does not respect whether the relevant directories use case-insensitive path processing. Thus, unless an exponential number of paths is given to process.permission.deny(), one can easily bypass such a restriction by changing capitalization:

C:\>node --experimental-permission --allow-fs-read=* --allow-fs-write=*
(node:44336) ExperimentalWarning: Permission is an experimental feature
(Use `node --trace-warnings ...` to show where the warning was created)
Welcome to Node.js v20.0.0-nightly2023031585d614090b.
Type ".help" for more information.
> process.permission.deny('fs.read', ['C:\\Windows\\System32\\*'])
true
> fs.readdirSync('C:\\Windows\\System32')
Uncaught Error: Access to this API has been restricted
    at Object.readdirSync (node:fs:1454:26) {
  code: 'ERR_ACCESS_DENIED',
  permission: 'FileSystemRead',
  resource: '\\\\?\\C:\\Windows\\System32'
}
> fs.readdirSync('C:\\wIndows\\sYstem32')
[
  ...
]

Note that some directories process paths in a case-sensitive manner even on Windows, so simply matching case-insensitively on Windows is not correct in general either. Conversely, as @richardlau pointed out below, macOS and Linux also support case-insensitive mounts, so this is not just a Windows issue.

I'm opening this as a public issue because the feature hasn't been released yet due to previous vulnerabilities (see #46975 (comment)).

This vulnerability is unrelated to the far more significant fs-related vulnerabilities discussed in #47090.