diff --git a/Controllers/VulnerableController.cs b/Controllers/VulnerableController.cs
index e4bf24f..34a6ed4 100644
--- a/Controllers/VulnerableController.cs
+++ b/Controllers/VulnerableController.cs
@@ -54,8 +54,18 @@ public IActionResult PingServer(string hostname)
         [HttpGet("download")]
         public IActionResult DownloadFile(string filename)
         {
-            // Vulnerable: No path validation
-            var filePath = $"/var/www/files/{filename}";
+            // Validate and normalize the requested file path to prevent path traversal
+            var baseDirectory = "/var/www/files";
+            var baseDirectoryFullPath = System.IO.Path.GetFullPath(baseDirectory);
+            var combinedPath = System.IO.Path.Combine(baseDirectoryFullPath, filename ?? string.Empty);
+            var filePath = System.IO.Path.GetFullPath(combinedPath);
+
+            // Ensure the resolved path is still within the intended base directory
+            if (!filePath.StartsWith(baseDirectoryFullPath + System.IO.Path.DirectorySeparatorChar))
+            {
+                return BadRequest("Invalid file path.");
+            }
+
             if (System.IO.File.Exists(filePath))
             {
                 var fileBytes = System.IO.File.ReadAllBytes(filePath);