Some times application behaves in a different way when it is passed with “..”.

If the application/BFF doesn’t interpret the dots correctly then it can pass the entire path to the Microservice .

But the microservice understands that the “..” means going a directory back.

If this scenario happens then a attacker can see additional information in the form of headers or response text.