path-sanitizer allows bypassing the existing filters to achieve path-traversal vulnerability
This is a POC for a path-sanitizer npm package. The filters can be bypassed and can result in path traversal. Payload: ..=%5c can be used to bypass this on CLI (along with other candidates). Something similar would likely work on web apps as well.