xiaomusic version 0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/{file_path:path} endpoint. The vulnerability allows attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can bypass path restrictions by crafting traversal sequences that target sibling directories sharing the music_path prefix. The vulnerability stems from a missing trailing separator in the comparison logic. This allows unauthenticated access to arbitrary files on the server.