st prior to 0.2.5 are affected by a directory traversal vulnerability. Vulnerable versions fail to properly handle URL encoded dots, which caused
%2e to be interpreted as
. by the filesystem, resulting the potential for an attacker to read sensitive files on the server.
Update to version 0.2.5 or later.