The vulnerability stems from improper path sanitization in Windows environments. The commit diff shows the Clean function was modified to add backslash replacement (strings.ReplaceAll(p, \, "/")). The test cases added in pathutil_test.go demonstrate Windows-style path traversal attempts that were previously unhandled. The Clean function's failure to normalize Windows path separators before sanitization allowed bypassing directory restrictions, making it the clear vulnerable function.