Critical CWE-22 Path Traversal Vulnerability Patched in File Upload Route

A critical path traversal vulnerability has been remediated in the file upload endpoint at `packages/lib/services/rest/routes/resources.ts`. The flaw, designated CWE-22, enabled attackers to access or modify arbitrary filesystem locations on the server by exploiting insufficient input validation on file paths during multipart upload requests.

The vulnerability stemmed from direct assignment of `request.files[0].path` to a file path variable at line 65 of resources.ts, without sanitization, canonicalization, or MIME type verification. Path traversal sequences such as `../../etc/passwd` or `../../etc/cron.d/malicious` could be embedded in the upload request, allowing read or write access beyond the intended upload directory. No file extension allowlist or content-type validation was implemented to constrain acceptable uploads.

The issue was identified by automated scanner `multi_agent_ai` and subsequently fixed. Verification confirms the build passes and the scanner re-scan shows no remaining exposure. An LLM-assisted code review also validated the remediation. While the fix appears comprehensive, organizations running deployments of this service should confirm their instances reflect the patched version and audit recent upload logs for any anomalous filesystem access patterns.