The vulnerability arises from how RegexRequestMatcher handles regex patterns containing dots (.) in certain servlet containers. The advisory explicitly links the issue to RegexRequestMatcher and RegExPatternMatcher configurations with dots in the regex. The matches() method in RegexRequestMatcher is responsible for evaluating the request path against the regex. When the regex includes a dot (intended as a literal or wildcard), servlet containers may normalize or decode the path in ways that cause the regex to match unintended paths, leading to authorization bypasses. The fix in Shiro 1.9.1 likely addresses this by improving path handling or regex anchoring in this method.