The vulnerability stems from how root path normalization and comparison were handled in SendStream's pipe method. The original code normalized the root without a trailing separator (normalize(root)), then checked if the requested path started with this root. This allowed paths like '/public-restricted' to match '/public' due to partial prefix matching. The fix adds a trailing separator to the root during normalization (normalize(root + sep)), ensuring exact directory boundary matching. The code changes in lib/send.js and associated test cases in the commit confirm this was the vulnerable function.