diff --git a/index.html b/index.html
index a4c2184..2371629 100644
--- a/index.html
+++ b/index.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
   <head>
-    <title>SVR.JS 3.9.1</title>
+    <title>SVR.JS 3.9.2</title>
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <meta charset="UTF-8" />
     <style>
@@ -12,7 +12,7 @@
     </style>
   </head>
   <body>
-    <h1>Welcome to SVR.JS 3.9.1</h1>
+    <h1>Welcome to SVR.JS 3.9.2</h1>
     <br/>
     <img src="/logo.png" style="width: 256px;" />
     <br/>
@@ -117,7 +117,7 @@
     </div>
     <p>Changes:</p>
     <ul>
-      <li>Added new config.json property - exposeModsInErrorPages</li>
+      <li>Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url are no longer vulnerable to path traversal (not including query strings).</li>
     </ul>
     <p>Bugs:</p>
     <ul>
diff --git a/licenses/index.html b/licenses/index.html
index ea9bc43..457a571 100644
--- a/licenses/index.html
+++ b/licenses/index.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
   <head>
-    <title>SVR.JS 3.9.1 Licenses</title>
+    <title>SVR.JS 3.9.2 Licenses</title>
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <meta charset="UTF-8" />
     <style>
@@ -12,8 +12,8 @@
     </style>
   </head>
   <body>
-    <h1>SVR.JS 3.9.1 Licenses</h1>
-    <h2>SVR.JS 3.9.1</h2>
+    <h1>SVR.JS 3.9.2 Licenses</h1>
+    <h2>SVR.JS 3.9.2</h2>
     <div style="display: inline-block; text-align: left; border-width: 2px; border-style: solid; border-color: gray; padding: 8px;">
       MIT License<br/>
       <br/>
@@ -37,7 +37,7 @@
       OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE<br/>
       SOFTWARE.<br/>
     </div>
-    <h2>Packages used by SVR.JS 3.9.1 and utilities</h2>
+    <h2>Packages used by SVR.JS 3.9.2 and utilities</h2>
     <div style="width: 100%; background-color: #ccc; border: 1px solid green; text-align: left; margin: 10px 0;">
       <div style="float: right;">License: MIT</div>
       <div style="font-size: 20px;">
diff --git a/svr.js b/svr.js
index 2352c85..f45eb21 100644
--- a/svr.js
+++ b/svr.js
@@ -81,7 +81,7 @@ function deleteFolderRecursive(path) {
 }
 
 var os = require("os");
-var version = "3.9.1";
+var version = "3.9.2";
 var singlethreaded = false;
 
 if (process.versions) process.versions.svrjs = version; // Inject SVR.JS into process.versions
@@ -4043,7 +4043,8 @@ if (!cluster.isPrimary) {
 
       // Sanitize URL
       var sanitizedHref = sanitizeURL(href);
-
+      var preparedReqUrl = uobject.pathname + (uobject.search ? uobject.search : "") + (uobject.hash ? uobject.hash : "");
+      
       // Check if URL is "dirty"
       if (href != sanitizedHref && !isProxy) {
         var sanitizedURL = uobject;
@@ -4076,6 +4077,14 @@ if (!cluster.isPrimary) {
           redirect(sanitizedURL, false);
           return;
         }
+      } else if(req.url != preparedReqUrl && !isProxy) {
+        serverconsole.resmessage("URL sanitized: " + req.url + " => " + preparedReqUrl);
+        if(rewriteDirtyURLs) {
+          req.url = preparedReqUrl;
+        } else {
+          redirect(preparedReqUrl, false);
+          return;
+        }
       }
       
       // Handle redirects to HTTPS
@@ -4206,7 +4215,9 @@ if (!cluster.isPrimary) {
           }
 
           var sHref = sanitizeURL(href);
-          if (sHref != href.replace(/\/\.(?=\/|$)/g, "/").replace(/\/+/g, "/")) {
+          var preparedReqUrl2 = uobject.pathname + (uobject.search ? uobject.search : "") + (uobject.hash ? uobject.hash : "");
+          
+          if (req.url != preparedReqUrl2 || sHref != href.replace(/\/\.(?=\/|$)/g, "/").replace(/\/+/g, "/")) {
             callServerError(403);
             serverconsole.errmessage("Content blocked.");
             return;
diff --git a/tests.html b/tests.html
index 2a1964f..9cccfce 100644
--- a/tests.html
+++ b/tests.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
   <head>
-    <title>SVR.JS 3.9.1 Tests</title>
+    <title>SVR.JS 3.9.2 Tests</title>
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <meta charset="UTF-8" />
     <style>
@@ -12,7 +12,7 @@
     </style>
   </head>
   <body>
-    <h1>SVR.JS 3.9.1 Tests</h1>
+    <h1>SVR.JS 3.9.2 Tests</h1>
     <h2>Directory</h2>
     <iframe src="/testdir" width="50%" height="300px"></iframe>
     <h2>Directory (with query)</h2>