Why this matters
The bug. Path('/var/uploads') / '../../etc/passwd' is /var/uploads/../../etc/passwd, which send_file resolves to /etc/passwd. The .exists() check still passes — the file *does* exist.
The fix. resolve() collapses .., then check that the result is still under UPLOAD_DIR:
target = (UPLOAD_DIR / filename).resolve()
if UPLOAD_DIR not in target.parents: abort(404)
The puzzle accepts the resolve() change; in real code add the containment check too.
Review heuristic
Whenever filesystem path concatenation meets a request value, verify there's a containment check on the resolved absolute path. The check has to come after normalization and has to fail closed (reject by default), not by string-stripping ...
External reference: CWE-22: Path Traversal.
↳ CWE-22; common in CTF web challenges.