The vulnerability lies in the BinaryDataController class, which is responsible for handling requests to the /rest/binary-data endpoint. The core of the issue is insufficient validation of the binaryDataId parameter, specifically when it represents a filesystem URI.

The analysis of the patch commit 43c52a8b4f844e91b02e3cc9df92826a2d7b6052 reveals that the application did not correctly handle URIs with an empty path component, such as filesystem:// or filesystem-v2://. When the get or getSigned methods in the BinaryDataController received such a URI, the underlying file handling logic would likely enter an infinite loop or a state of high resource consumption while trying to resolve an empty path, causing the service to become unresponsive.

The patch addresses this by introducing stricter validation. It now explicitly checks if the path part of the URI is empty (''), a single slash ('/'), or a double slash ('//') and throws a BadRequestError if it is. This prevents the malformed input from reaching the vulnerable processing logic.

The get method is directly implicated by the new tests added in the patch. The getSigned method is also identified as vulnerable because its corresponding tests were updated to align with the new error handling, indicating it was affected by the same flaw and fixed by the same change.