There recently was a bugfix for a vulnerability of the appserver's web request/response interface.
This vulnerability was present in versions prior to 1.0.3 and was exposed by the bundled webserver's HTTP parsing library. The URI as coming from a web client was not normalized correctly which allowed for traversal movement through the file system of the host without the restriction of the configured document root. This allowed for access of otherwise inaccessible files trough specially crafted HTTP requests.
We STRONGLY advise everyone to update to version 1.0.3 or higher.
You might alternatively update the appserver-io/http composer package to version 1.1.1.