diff --git a/packages/api/src/controllers/uploads.js b/packages/api/src/controllers/uploads.js
index 4e0b9bd2a..82cea2452 100644
--- a/packages/api/src/controllers/uploads.js
+++ b/packages/api/src/controllers/uploads.js
@@ -44,6 +44,10 @@ module.exports = {
     raw: true,
   },
   get(req, res) {
+    if (req.query.file.includes('..') || req.query.file.includes('/') || req.query.file.includes('\\')) {
+      res.status(400).send('Invalid file path');
+      return;
+    }
     res.sendFile(path.join(uploadsdir(), req.query.file));
   },