The vulnerability description and the official Node.js security advisory explicitly mention fs.fchown and fs.fchmod as the functions that can bypass the permission model. These functions, part of the built-in 'fs' module, allow modification of file ownership and permissions using a file descriptor, even if that descriptor was obtained with read-only access. This behavior circumvents the intended restrictions of the experimental permission model when the --allow-fs-write flag is active. Since no commit information was provided, the analysis relies on the textual descriptions of the vulnerability from trusted sources like the Node.js security blog and GitHub advisories which clearly identify these functions as the source of the vulnerability by allowing operations on file descriptors that should be restricted by the permission model under certain conditions (use of --allow-fs-write flag).