The vulnerability description points to a path traversal vulnerability in the HttpClient class when handling file downloads. By analyzing the source code of resty-httpclient/src/main/java/cn/dreampie/client/HttpClient.java, I identified the readResponse method as the location of the vulnerability. The method extracts the filename from the Content-Disposition header of the server's response. This filename is then concatenated with a user-provided directory path to create the final file path for the downloaded file. Crucially, the code fails to sanitize the filename, making it possible for a malicious server to include path traversal characters (../) in the filename. This allows an attacker to write files to arbitrary locations on the file system where the client application has write permissions. The public methods get(), post(), put(), patch(), and delete() can all trigger this vulnerable code path if a file download is initiated.