diff --git a/discojs-node/src/model_loader.ts b/discojs-node/src/model_loader.ts
index 1da84def0..e4e232417 100644
--- a/discojs-node/src/model_loader.ts
+++ b/discojs-node/src/model_loader.ts
@@ -1,4 +1,5 @@
 import fs from "node:fs/promises";
+import path from "node:path";
 
 import type { models, DataType } from "@epfml/discojs";
 import { serialization } from "@epfml/discojs";
@@ -10,8 +11,20 @@ export async function saveModelToDisk(
 ): Promise<void> {
   const encoded = await serialization.model.encode(model);
 
+  if (
+    path.isAbsolute(modelFileName) ||
+    modelFileName.includes("/") ||
+    modelFileName.includes("\\") ||
+    modelFileName === "." ||
+    modelFileName === ".."
+  ) {
+    throw new Error("Invalid model file name");
+  }
+
+  const modelPath = path.join(modelFolder, modelFileName);
+
   await fs.mkdir(modelFolder, { recursive: true });
-  await fs.writeFile(`${modelFolder}/${modelFileName}`, encoded);
+  await fs.writeFile(modelPath, encoded);
 }
 
 export async function loadModelFromDisk(