diff --git a/vulnerable_path_traversal.py b/vulnerable_path_traversal.py
index 8f83550..3e015c4 100644
--- a/vulnerable_path_traversal.py
+++ b/vulnerable_path_traversal.py
@@ -46,7 +46,10 @@ def get_user_file(user_id, filename):
 @app.route('/image')
 def serve_image():
     img_name = request.args.get('name')
-    img_path = "./static/images/" + img_name
+    base_dir = os.path.realpath("./static/images/")
+    img_path = os.path.realpath(os.path.join(base_dir, img_name))
+    if not img_path.startswith(base_dir):
+        return 'Access denied', 403
     
     return send_file(img_path)