diff --git a/server.js b/server.js
index ffa60e9..58ac129 100644
--- a/server.js
+++ b/server.js
@@ -229,6 +229,8 @@ const uploads = new Map();
 // Routes
 app.post('/upload/init', async (req, res) => {
     const { filename, fileSize } = req.body;
+
+    const safeFilename = path.normalize(filename).replace(/^(\.\.(\/|\\|$))+/, '')
     
     // Check file size limit
     if (fileSize > maxFileSize) {
@@ -241,20 +243,20 @@ app.post('/upload/init', async (req, res) => {
     }
 
     const uploadId = Date.now().toString();
-    const filePath = path.join(uploadDir, filename);
+    const filePath = path.join(uploadDir, safeFilename);
     
     try {
         await ensureDirectoryExists(filePath);
         
         uploads.set(uploadId, {
-            filename,
+            safeFilename,
             filePath,
             fileSize,
             bytesReceived: 0,
             writeStream: fs.createWriteStream(filePath)
         });
 
-        log.info(`Initialized upload for ${filename} (${fileSize} bytes)`);
+        log.info(`Initialized upload for ${safeFilename} (${fileSize} bytes)`);
         res.json({ uploadId });
     } catch (err) {
         log.error(`Failed to initialize upload: ${err.message}`);