Note: the server is also running behind NGINX.
The application is simple enough--It serves videos and has both public and unlisted videos. The Dockerfile uses
FROM kmh11/python3.1, which is weird because Python 3.1 was released nearly 11 years ago. To ensure the name wasn't misleading, I ended up verifying the Python binary in the docker image, but I didn't find any related vulnerabilities. However, there is a noticeable vulnerability in how paths are handled.