m-server is vulnerable to directory traversals. The application does not restrict escape characters, allowing a malicious user to traverse the directories using a curl request such as http://localhost:8080/../../../../../../etc/passwd
to gain sensitive information.